[
https://issues.apache.org/jira/browse/DERBY-5637?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13224502#comment-13224502
]
Knut Anders Hatlen commented on DERBY-5637:
-------------------------------------------
> We should document (...) how to disable/restrict access to them in
> security-conscious environments.
I'm aware of the following ways to disable the MBeans:
1) Use the stopManagement() method of ManagementMBean. This method unregisters
all of Derby's MBeans except ManagementMBean itself, so it doesn't turn it off
completely.
2) Run the network server with a custom security policy which doesn't grant
derby.jar the permissions needed to register MBeans. For example by modifying
the network server's basic policy
(http://db.apache.org/derby/docs/dev/adminguide/tadminnetservbasic.html) by
commenting out this section:
// Allows access to Derby's built-in MBeans, within the domain
// org.apache.derby.
// Derby must be allowed to register and unregister these MBeans.
// It is possible to allow access only to specific MBeans, attributes or
// operations. To fine tune this permission, see the javadoc of
// javax.management.MBeanPermission or the JMX Instrumentation and Agent
// Specification.
//
permission javax.management.MBeanPermission
"org.apache.derby.*#[org.apache.derby:*]",
"registerMBean,unregisterMBean";
If the permission to register MBeans isn't granted to derby.jar,
JMXManagementService.jmxRegister() will silently ignore any requests to
register MBeans, as can be seen from this catch block in said method:
} catch (SecurityException se) {
// If we can't register the MBean then so be it.
// The application can later enabled the MBeans
// by using org.apache.derby.mbeans.Management
}
> Document Derby's JMX capabilities and how to disable them
> ---------------------------------------------------------
>
> Key: DERBY-5637
> URL: https://issues.apache.org/jira/browse/DERBY-5637
> Project: Derby
> Issue Type: Improvement
> Components: Documentation, JMX
> Affects Versions: 10.9.0.0
> Reporter: Rick Hillegas
> Assignee: Kim Haase
>
> Derby's JMX beans are useful, although limited. We should document their
> capabilities as well as how to disable/restrict access to them in
> security-conscious environments.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
