[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099

Mon, 15 Jun 2020 22:22:17 -0700 


    [ 
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17136316#comment-17136316
 ] 

Frans commented on TOMEE-2294:
------------------------------

So, I would recommend changing lines 66-74 to
{code:java}
    static {
        String option = Boolean.FALSE.toString();
        try {
            option = 
System.getProperty("org.apache.activemq.broker.jmx.createConnector", "false");
        } catch (Exception ex) {
        }        DEFAULT_CREATE_CONNECTOR = Boolean.valueOf(option);
    } {code}
and for now, I'll add that system property and set it to false.

And maybe add a call right at the start to setCreateConnector with the value 
from ?useJmx=

I'm seeing 0 references to that method in my workspace.

Cheers,

Frans

> Can't disable unauthenticated JMX on 1099
> -----------------------------------------
>
>                 Key: TOMEE-2294
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2294
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>            Reporter: Frans
>            Priority: Major
>             Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on 
> port 1099.
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
>   BrokerXmlConfig = broker:(vm://broker)?useJmx=false
>   ServerUrl = vm://broker
> </Resource>{code}
> Tomee's resource configuration doesn't allow this to be disabled. The above 
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down 
> the same version of activemq-all, and putting that in the tomee/lib 
> directory, at which point this works:
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
>   BrokerXmlConfig = xbean:file:activemq.xml
>   ServerUrl = vm://broker
> </Resource>
> {code}
> {code:java}
>   <broker xmlns="http://activemq.apache.org/schema/core";
>           useJmx="false"
>           brokerName="broker"
>           useShutdownHook="false"
>           persistent="true"
>           start="true"
>           schedulerSupport="false"
>           enableStatistics="false"
>           offlineDurableSubscriberTimeout="259200000"
>           offlineDurableSubscriberTaskSchedule="3600000">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull 
> down specific jars, and maintain a second configuration file seems like a lot 
> of effort to go to just to have the ability to disable unauthenticated access 
> to every MBean in the VM



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to