[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17136214#comment-17136214
]
Frans commented on TOMEE-2294:
------------------------------
[~jgallimore] I've had a go with tomee-8. Historically I've been using the
apache-catalina-remote-X.jar jmx connectors which have been merged in to
catalina.jar, and changed so that very specific settings need to be set on
jmx.a and jmx.p before JMX will work. I've managed to get this working locally,
but it didn't help with the 1099 issue.
[~rzo1] switching back to tomee 7.1.2 (and now 7.1.3), I found that if I took
the project and stripped it back to the absolute bare minimum of function, 1099
did not appear.
However, as noted in the initial bug report, if I inspect the jar, find the
version of ActiveMQ being used, pull down activemq-all and use the different
settings, 1099 also does not appear, and the jmx settings configured in
JAVA_OPTS, only the secured port specified in JAVA_OPTS works.
I'm now trying to get the pared back example and add in sections of the code.
When something causes 1099 to trigger, I'll pare that part back until it
disappears again. Hopefully I'll be able to report back what thing is causing
1099 to show up in the pared-back ActiveMQ jar.
> Can't disable unauthenticated JMX on 1099
> -----------------------------------------
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
> Reporter: Frans
> Priority: Major
> Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> </Resource>{code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
> </Resource>
> {code}
> {code:java}
> <broker xmlns="http://activemq.apache.org/schema/core";
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="259200000"
> offlineDurableSubscriberTaskSchedule="3600000">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
