[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099

Thu, 07 May 2020 03:14:03 -0700 


    [ 
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17101507#comment-17101507
 ] 

Jonathan Gallimore commented on TOMEE-2294:
-------------------------------------------

All this being said, its completely reasonable that you'd want to turn on JMX 
for ActiveMQ, but not open the port. You may wish to configure the JMX port 
using JVM arguments, and you may just wish to connect locally (directly to the 
process, and not via a port).

We should allow JMX to be enabled, and not open the port.

> Can't disable unauthenticated JMX on 1099
> -----------------------------------------
>
>                 Key: TOMEE-2294
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2294
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>            Reporter: Frans
>            Priority: Major
>             Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on 
> port 1099.
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
>   BrokerXmlConfig = broker:(vm://broker)?useJmx=false
>   ServerUrl = vm://broker
> </Resource>{code}
> Tomee's resource configuration doesn't allow this to be disabled. The above 
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down 
> the same version of activemq-all, and putting that in the tomee/lib 
> directory, at which point this works:
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
>   BrokerXmlConfig = xbean:file:activemq.xml
>   ServerUrl = vm://broker
> </Resource>
> {code}
> {code:java}
>   <broker xmlns="http://activemq.apache.org/schema/core";
>           useJmx="false"
>           brokerName="broker"
>           useShutdownHook="false"
>           persistent="true"
>           start="true"
>           schedulerSupport="false"
>           enableStatistics="false"
>           offlineDurableSubscriberTimeout="259200000"
>           offlineDurableSubscriberTaskSchedule="3600000">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull 
> down specific jars, and maintain a second configuration file seems like a lot 
> of effort to go to just to have the ability to disable unauthenticated access 
> to every MBean in the VM



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to