Secure

Security

Security in Jolokia is provided on two levels: The transport channel (HTTP) is secured the standard way as it is defined in the JEE specifications. The agent itself can be configured to use a very fine grained policy which can restrict access on the MBean level for various parameters.

In especially, the policy can restrict access to:

  • certain client host IPs or subnets
  • certain Jolokia operations (read, exec, list, search)
  • specific MBean attributes (read and write) and operations

The security definitions support a wildcard notation and allow/deny sections similar to the security setup of an Apache HTTP-Server.

Example

The following example shows a sample policy file:

<restrict>

  <remote>
    <host>127.0.0.1</host>
    <host>localhost</host>
    <host>10.0.0.0/16</host>
  </remote>
  
  <cors>
    <allow-origin>http://www.jmx4perl.org</allow-origin>
    <allow-origin>*.jolokia.org</allow-origin>
  </cors>

  <commands>
    <command>read</command>
    <command>write</command>
  </commands>

  <allow>

    <mbean>
      <name>java.lang:type=Memory</name>
      <attribute mode="read">Verbose</attribute>
      <operation>gc</operation>
    </mbean>

    <mbean>
      <name>jolokia:type=Config</name>
      <operation>*</operation>
    </mbean>
    <mbean>
      <name>java.lang:type=Threading</name>
      <operation>findDeadlockedThreads</operation>
    </mbean>
  </allow>

  <deny>
    <mbean>
      <name>com.mchange.v2.c3p0:type=PooledDataSource,*</name>
      <attribute>properties</attribute>
    </mbean>
  </deny>
</restrict>

This sample policy contains a ist of remote hosts which are allowed to access this agent. The name can be given as IP or FQDN. A subnetmask can be given, too, for specifying a subnet for the access. The netmask can be given either in CIDR format (e.g "/16") or as a full netmask (e.g. "/255.255.0.0").

The list of allowed commands, which are given in <commands> section determine which Jolokia operations are allowed in general. For each command type present, the principle behaviour is allow this command for all MBeans. To remove an MBean (attribute/operation), a <deny> section has to be added. For each command type missing, the command is disabled by default. For certain MBeans it can be selectively be enabled by using an <allow> section below. Within the allow and deny sections, MBean names and attribute/operation names can be specified with a pattern using wildcards (?,*)

Next