Jolokia is a JMX-HTTP bridge giving an alternative to JSR-160 connectors. It is an agent based approach with support for many platforms. In addition to basic JMX operations it enhances JMX remoting with unique features like bulk requests and fine grained security policies.
Yes, finally we moved Jolokia from my (rhuss) personal account to a dedicated GitHub organisation: https://github.com/jolokia. I'm super happy that the story of Jolokia continues and you will see quite some new faces very soon. Thanks Tadayoshi, Grzegorz, Aurélien and all the other fine folks from Red Hat who started to revive Jolokia. Also, Jolokia 2.0 becomes a realistic option again. Stay tuned!
It has been silent times for Jolokia over the last 15 months. Still, there has been two minor releases with bug fixes pushed out:
Jolokia 1.7.1:
Jolokia 1.7.2:
Jolokia took a big nap during the last two years. That's especially true for me, and I apologize to all of the excellent contributors who still keep Jolokia alive. The reason for the silence was really that my work interested has completely shifted. Jolokia is now older than ten years, and I think it aged quite well. But it gets harder and harder for me to justify working on Jolokia (and yes, I promised a 2.0 for ages, all the work is more or less done, but it would be irresponsible to move it out without being able to support it ;-( So, before we come to the fantastic new features if you are a Jolokia fan and willing to keep it alive, reach out to me. To be honest, if no one else steps up to take over the helm, Jolokia will very likely be sunset end of this year. It just feels not very good to constantly apologize for being so slow.
Said that now to the amazing features that have been contributed over the last two years:
Great news: Jolokia now has an actual JSR-160 connector that allows you to connect jconsole and another JSR-160 aware tooling to directly connect to Jolokia. Also, you can use the connector to connect into a Kubernetes cluster directly. Watch these videos for a short introduction:
All kudos go to Martin Skarsaune for this great new feature!
Thanks to the great work of Grzegorz Grzybek Jolokia works now also for Java 11, and supports now the full range from Java 6 up to Java 11. All harmful reflection code has been replaced.
There are many other little gems added by great people, please checkout the release notes and/or the changelog.
This summer version 1.6.2 comes with support for multiple CAs when running the Jolokia agent in SSL mode. This is especially useful when used together with newer versions of OpenShift.
1.6.1 is coming quite late although many of its features are available since quite some time. Apologies for that, it was a busy time for me (but not so much for Jolokia).
This release contains one relevant security check which hardens the CORS handling a bit further. Additional some minor goodies are added, please check the changelog for details.
So, what's next? Jolokia is currently not close to the top of my priority list at the moment. It won't be, and I will work on security fixes promptly when reported. However, the most important update to Java 9 as well the release of Jolokia 2.0 with JMX notification support is currently put on ice.
Said that it's currently a perfect moment to jump in to boost Jolokia development. We've got the jolokia donated, so one of the next larger moves would move this personal pet project to a more solid foundation. If you are interested in helping shaping Jolokia 2.0 which is then ready for Java 9 and support for monitoring platforms like Prometheus, then let's talk.
In any case, enjoy the summer. Happy hacking ;-)
As reported by security consultant Mat Mannion, there is a massive set of Jolokia agents reachable unsecured from the Internet. While its obviously not recommended to run Jolokia unsecured or even expose it publicly, authentication is enabled now by default in jolokia.war. So in order to continue to the WAR-agent you have to setup your servlet's container authentication to associate enabled users with the role "jolokia" (like by adding it to tomcat-users.xml).
For quick experiments or when you insist somehow to avoid authentication, then you can use the newly added jolokia-unsecured.war. Of course you are still free to mangle the web.xml within either war agent.
That said, I still recommend the JAR agent over the WAR agent for most cases, as it has much more flexible security options, included HTTPS encryption with client certificate authentication. See the reference manual for all security options.
Two security issues for Jolokia have recently been discovered by Olga Barinova of Gotham Digital Science:
Jolokia 1.5.0 now fixes these issue in the following way:
As a first measure, the JMX proxy mode is disabled by default for the WAR agent. You can switch it on if you need as usual by adding the relevant configuration to web.xml. But you can now also enable the proxy mode without touching jolokia.war: By setting a Java system property or an environment variable, the proxy mode can be switched on again, too. These parameters can be easily added to the startup script of your servlet container.
Also, you can now configure a whitelist with allowed patterns for the JMX service URL used as the target URL of the proxy. These patterns are supposed to be contained in a plain text file, line by line. Pattern matching is performed case insensitive. This file then can be referenced by a system property, an env variable or directly configured in web.xml in the war file.
For the configuration options of the Jolokia proxy please refer to the Proxy Mode section of the reference manual.
Finally, we always recommend using a dedicated server when using the JMX proxy mode, e.g. a Jetty or Tomcat servlet container. These servers should be protected by requiring some authentication. The authentication setup is specific to the Java EE server but you have to edit the Jolokia WAR agent to enable authentication as described in the Security Setup chapter in the reference manual.
For closing the XSS vulnerability, nothing extra needs to be configured. Jolokia now just verifies that only text/plain and application/json is allowed as the value of the query parameter mimeType and falls back to plain text/plain if something different is provided.
It is highly recommended to upgrade to Jolokia 1.5.0 if you are relying on the JMX JSR-160 proxy feature and to revisit your security setup around the proxy server.
Big Kudos go out to GDS (and especially to Olga Barinova and Martin Hopkins) for openly reporting these issues in deep detail to me and being very cooperative in helping to fix these. Also to R3, for whom GDS was working when these issues were discovered, who encouraged GDS to report them. Highly appreciated!
Jolokia 1.4.0 is the first release in 2018 (happy new year to everyone btw ;-) and brings some small new features and fixes (you find the full list in the changelog)
Even when the minor bug fixes or feature changes might not make you considering an upgrade, the last point is important. The Jolokia version from 1.3.4 to 1.3.7 included a class ChunkedWriter which in turn included some parts of the Java internal class StreamEncoder, which is released under the GPL. As you might know Jolokia is released under the APL which is not compatible to the GPL. The affected class has been removed so everything is clean again (to the best of my knowledge).
Sorry for any inconvenience. If you any questions to this version or implication, please create an issue at the GitHub project.
As a small sign of life, here's is 1.3.7 with some very minor fixes for the Java client and the JVM agent.
Not much more to tell for now. Enjoy summer ;-) !
Wow, already April and half a year after the last release. Yes, it has been calm around Jolokia the last time. It's not because it lost its relevance, it's just because things are as they are. As much as I would love to progress faster, other exciting projects are eating up my time massively. Luckily Jolokia 1.x is really stable these days and used in a lot of products as their major monitoring interface. And as much I would love to finally kick off 2.0, there does not seem too much demand for it yet ;-(. Which is also a good thing as it proves that Jolokia 1.x is still absolutely sufficient for day to day needs. And it's even so that Jolokia stays even more relevant as Java EE Management (JSR-373) will never come. Of course, as times goes by, alternative monitoring interfaces for Java (like to Prometheus) gain in importance. But as long JMX has some meaning for monitoring in the Java world, Jolokia is here to stay.
So, what's new in 1.3.6 ?
Although Jolokia 2 is not here yet, it's not dead. Branch 2.0 is fully rebase on the 1.3 line and the 2.0.0 milestone releases are still recommended support for notifications is required. It's quite stable, just not yet released. For Jolokia 1.x I don't expect any revolutionary changes in 2017, so you probably can expect a next 1.3.7 release in autumn, collecting all the bug fixes on the way.
Here comes a minor update with some smaller goodies:
It has beed taken a bit, but just right now befire the summerbreak 1.3.4 is here with some nice new features:
In parallel 2.0 takes comes into shape. The current version 2.0.0-M3 is available and already used with success in some production setups. In addition to the new features like notification support or new extension hooks, it is fully backwards comptabile to 1.x, except that some default values will be changed. However, an upgrade will be trivial. If you are curious, I'm going to present the new 2.0 features at JavaZone in September.
That's it for now, enjoy your summer break ;-)
Beside bug fixes as described in the changelog, this minor release brings some small features:
We are getting closer. I'm happy to announce that the first milestone release 2.0.0-M1 is out and available from Maven central. Of course, it is highly experimental. The main new features are JMX notification support (pull and SSE mode) and refactorings leading to an internal modularization (which you will see when looking into WAR agent).
I would be more than happy if you would try out the JAR and WAR agent which are supposed to be drop in replacements for Jolokia 1.3.2.
More information can be found on my Blog. Soon there will be also demo and screencast showing the new features.
Jolokia 1.3.2 is still the latest stable version and will receive minor updates in the future, too.
It was quite calm around Jolokia this summer and not much happened in Jolokia-land. Not many bugs arrived, too, which I take as a good sign :)
Now let's start a next round with some revamped TLS support for https connections. Version 1.3.2 introduces a handful of new options for advanced configuration of the JVM agent's TLS connector:
In addition to the keystore (option keystore) the CA and the server cert as well as the server cert's key can be provided as PEM files with the options caCert, serverCert and serverKey, respectively.
Client cert validation has also be enhanced. In addition to validating the CA signature of a client cert, one can now also check that the extended key usage block of the cert was created for client usage (option extendedClientCheck). Also, one or more principals can be configured with clientPrincipal which are also compared againt the subject within a client certificate.
For simple use cases where no server validation is required, Jolokia is now able to create self-signed server certificates on the fly. This happens if neither a keystore nor a server PEM cert is provided. So, the easiest way to enable https is simply to add protocol=https. Of course, the client needs to disable cert validation then and it is recommended to use basic-authentication to authenticate the connection.
The changes affect the JVM agent only and are explained in the reference manual.
That's it for now mostly, but see the changelog for some other minor additions. Progress on Jolokia 2.0 continues slowly, won't tell much here until I have a M1 release. No promises either :)
This minor release introduces one single new feature: A delegating authentication provider for the JVM agent. This can be switched on with configuration options and allow to delegate the authentication decision to an external service so that an easy SSO e.g. via OAuth2 is possible.
For example, if you are an OpenShift user and want to participate in OpenShift's OAuth2 SSO, then you can specify the following startup parameters, assuming that you OpenShift API server is running as openshift:8443:
java -javaagent:jolokia.jar=\ authMode=delegate,\ authUrl=https://openshift:8443/osapi/v1beta3/users/~,\ authPrincipalSpec=json:metadata/name,\ authIgnoreCerts=true\ ...
More about this can be found in the reference manual. Note, that the parameter authenticationClass has been renamed to authClass for consistencies sake. Please raise an issue if this doesn't work for you.
After quite some winter sleep Jolokia is back with a fresh release. This is mostly a bug fix release with some new features:
There is one important change in the default behaviour of the WAR agent: Up to 1.2.3 Jolokia truncates any collection in the response value at a threshold of 1000 elements by default. This limit can be overwritten permanently in the configuration or per request as query parameter (maxCollectionSize). However, it turned out that this limit was not large enough. So the new default behaviour is to have no limit at all. As said, if you need it you always can set a hard limit in the agent's configuration.
But the biggest news is probably something complete different: I'm super happy to announce that I (roland) joined Red Hat since May, where I will able to continue to work on Jolokia with an even higher intensity. Before looking into the future, acknowledgements go to my former employer ConSol. Without the support donated by ConSol Jolokia would probably never has been grown from the original personal pet project to a full featured, production ready JMX remote access solution as it is today. Thank you !
What are the next steps ? Jolokia 2.0 (code name: "Duke Nukem Forever") is not so far away, all changes from 1.x has been already merged up to the 2.0 branch. A release candidate should be available soon, however I can't give any estimates yet. But what I can say: Jolokia is alive and kicking more than ever!
Meh, that was a busy summer. Apologies for the delay and breaking the usual one-release-per-month cycle.
Nevertheless there are some nice goodies in this release:
If you want to get a quick introduction into Jolokia and a peek preview to Jolokia 2.0 come to my "Tools in Action" session at Devoxx 2014 in Antwerp.
Last announcement for now: I started a blog at https://ro14nd.de about various technical topics like Jolokia, Docker or other stuff.
Let's welcome Jolokia's next minor release which is not so minor as it might seems.
The biggest new feature with the most impact is path wildcard support. You probably know pattern read requests which allow for fetching multiple patterns by using patterns for MBean names and attributes (not to be confused with bulk requests). When using pattern read requests, the value in the returned JSON structure is not a single return value for an attribute but a more complex structure containing the full MBean names and attributes which are matched by the pattern. Of course, it is not easy to use a path to navigate on this structure, the path has to know the full MBean name (well, why using a pattern then ?). That's the main reason why path access was not supported for pattern read requests up to release 1.2.1
Starting with 1.2.2 it is possible to use "*" wildcards in patterns, which match a complete 'level' in the JSON object. This makes it easy to fetch all same-named attributes on arbitrary MBeans and extract only parts of their values. In fact, it is not so easy explain wildcard pathes, but here is a try (another try can be found in the reference manual):
You see, wildcard path handling is somewhat complex. For pattern read request they make quite some sense, for all other requests, I couldn't find good use cases yet. Please open an issue if any suspicious behaviour during path-wildcard using occurs.
Finally, I would also like to mention a new GitHub project jolokia-extra which holds additional goodies. One design goal of Jolokia is to keep it focused. That's not so easy as there are tons of ideas out there, all backed by a particular use case. And they all want to get into the game. Beside that someone has to implement that (hint: still looking for contributions ;-), I opened a new playground for all that stuff which might not be of general interest but are still pearls. That's what jolokia-extra is for.
The beginning makes a 1.5 year old pull request from Marcin Płonka (Thanks a lot and sorry for the long, long delay, BTW). It's all about simplifying access to JSR-77 enabled Java EE-Servers. You should know that JSR 77: J2EE Management was a cool attempt to standardize naming and JMX exposed metrics for Java EE. Unfortunately it was abandoned, but still lives in quite a bunch of Java EE servers. Not at its full beauty, but still valuable enough to be supported. Astonishingly, WebSphere, even the latest 8.5 versions, has the best support for it. Using JSR-77 conform MBeans with plain Jolokia returns unnecessarily complex JSON structures which are hard to parse and understand. jolokia-extra adds a set of simplifier for make the usage with JSR-77 simpler (but add an extra of 50k to the agent). I recommend to have a look at it, especially if you are working with WebSphere.
In the future, it might be the case, that some lesser used additions (Spring and Spring Roo integration, JBoss Forge support, ...) will go into jolokia-extra as well.
Enough blubber, enjoy this release. And just in case, if anybody is wondering about 2.0 (BTW, is there anyone out there carrying about this next generation JMX transcended super-hero ?), just drop a note with twitter (@jolokia_jmx) or mail ([email protected]).
This minor release fixes some bugs and brings some smaller features:
And finally there is an important addition to the configuration of Jolokia's access policy. You might know, that you can configure CORS so the agent allows access only from certain origins. CORS is used by browsers for cross origin sharing and is a pure client side check. I.e. the browser asks the server and if the server says "no" the browser forbids any Ajax request to this server from any script. However, this still allows non-Ajax requests from any origin. To restrict this, too, a new configuration directive <strict-checking> has been added to the <cors> section which, if given, will do also a server-side check of a Origin: header when provided by the browser. If a security policy is used, it is highly recommended to set this flag (which for compatibility reason is switched off by default). And yes, it is of course highly recommended to use a jolokia-access.xml policy in production (and not only for servers exposed to the bad internet directly). This is especially important if you can access Jolokia agents directly via a browser which is also used for internet access (hint: CSRF).
No news about 2.0 ? Yes, indeed. The giant is still sleeping, "Jolokia forever", you know. But the pressure rises, for some conferences I have some CFPs out which hopefully will lead to some nice CDD sessions ("conference driven development", yeah).
New year, new release. Ok, it's not the BIG 2.0 which I already somewhat promised. Anyways, another big feature jumped on the 1.x train in the last minute. It is now possible to find agents in your network by sending an UDP packet to the multicast group 239.192.48.84, port 24884. Agents having this discovery mechanism enabled will respond with their meta data including the access URL. This is especially useful for clients who want to provide access to agents without much configuration. I.e. the excellent hawt.io will probably use it one way or the other. In fact, it was hawt.io which put me on track for this nice little feature ;-)
Discovery is enabled by default for the JVM agent, but not for the WAR agent. It can be easily enabled for the WAR agent by using servlet init parameters, system properties or environment variables. All the nifty details can be found in the reference manual.
The protocol for the discovery mechanism is also specified in the reference manual. One of the first clients supporting this discovery mode is Jmx4Perl in its newest version. The Jolokia Java client will follow in one of the next minor releases.
But you don't need client support for multicast requests if you know already the URL for one agent. Each agent registers a MBean jolokia:type=Discovery which perform the multicast discovery request for you if you trigger the operation lookupAgents. The returned value contains the agent information and is described here.
This feature has been tested in various environments, but since low level networking can be, well, "painful", I would ask you to open an issue in case of any problems.
Although it has been quiet some time with respect to the shiny new Jolokia 2.0, I'm quite close to a first milestone. All planned features has been implemented in an initial version, what's missing is to finish the heavy refactoring and modularisation of the Jolokia core. More on this later, please stay tuned ...
This is by far the smallest release ever: A single char has been added on top of 1.1.4 fixing a silly bug when using Glassfish with the AMX system. So, no need to update if you are not using Glassfish.
Next week is Devoxx time and as last year (and the years before) you have the change to meet me in Antwerp. Ping me or look for the guy with the Jolokia hoodie ;-)
Some bug fixes and two new features has been included for the autumn release:
A new configuration parameter "authenticatorClass" can be used for the JVM agent to specify an alternate authentication handler in addition to the default one (which simply checks for user and password).
With the configuration parameter "logHandlerClass" an alternative log handler can be specified. This can be used for the WAR and JVM agent in order to tweak Jolokia's logging behaviour. For the OSGi agent you already could use a LogService for customizing logging.
That's it and I hope you enjoy this release. I know, I'm late with 2.0, but as things happens, I have too much to do in 'real life' (i.e. feeding my family ;-). But I still hope to get it out this year, and yes, the 2.0 branch is growing (slowly).
BTW, the slides to my talk for the small but very fine JayDay 2013 are online, too. These are "implemented" in JavaScript including live demos, where the JavaScript can be directly inserted in the browser (tested with Chrome & Firefox). For the sample code, simply push the blue buttons at the bottom of a demo slide.
No big news in Jolokia land, but some bug fixes come with 1.1.3. Especially some issues with the JavaScript client's basic authentication and cross origin requests has been fixed. Otherwise I'm busy with 2.0 (and tons of other stuff ...). You can have a sneak preview of Jolokia 2.0 on this branch including basic notification support and quite some refactoring with respect to the service architecture.
So please stay tuned ....
In order to ease waiting for 2.0, Jolokia version 1.1.2 has been released. It contains some minor bug fixes as explained in the changelog. Depending on the bug reports and pull request dropping in there might be even a 1.1.3 release before 2.0 will be finished.
In the meantime, you can also see Jolokia live at JayDay where I will give a talk about Jolokia's JavaScript support. The forthcoming JMX notification support will presented, too. It is also a good chance to have a cold bavarian beer with me ;-)
This last feature release before work on 2.0.0 starts brings some small goodies.
Links to the corresponding GitHub issues and the bugs fixed in this release can be found in the change report.
This is the last feature release in the 1.x series. Work has already started on exciting new features for Jolokia 2.0. E.g. JMX notification support is coming, an initial pull model has been already implemented (on branch notification). There are even more ideas and some refactorings will happening along with some modest changes in the module structure. So, please stay tuned ...
It took some time, but it was worth it. Along with the usual bug fix parade, several new features has been added to Jolokia.
A new module jolokia-spring has been added which makes integration of Jolokia in Spring applications even easier. Simply add the following line (along with the corresponding namespace) to you application context and agent will be fired up during startup:
<jolokia:agent> <jolokia:config autoStart="true" host="0.0.0.0" port="8778" .... /> </jolokia:agent>
More details can be found here in the reference manual.
The new jolokia-jmx module provides an own MBeanServer which never gets exposed via JSR-160 remoting. By registering your MBeans at the Jolokia MBeanServer you can make them exclusively available for Jolokia without worrying about JSR-160 access e.g. via jconsole. However, if you annotate your MBeans with @JsonMBean and register it at the Jolokia MBeanServer your get automatic translation of complex data types to JSON even for JSR-160 connections:
The details can be found here.
Several new processing options enter the scene. These can be given either as global configuration parameters or as query parameters:
That's it for now, all changes are summarized as always in the change report.
Some other, more organizational stuff for now:
And finally a very hot recommendation: Please have a look at hawt.io a super cool HTML5 console which uses Jolokia for backend communication exclusively. Most of the new ideas included in this Jolokia release were inspired by discussions with James Strachan, one of the driving forces behind hawt. Thanks for that ;-)
Although it has been quite calm in Jolokia land for some months, there is quite some momentum around Jolokia. This minor release brings some cosmetic changes, mostly for tuning the ordering within MBeans names and some JavaScript fixes. More on this in the changelog.
Some other tidbits:
Jolokia 1.0.5 has been released. Beside minor improvements and bug fixes, one great new feature has been introduced: As already mentioned Jolokia has now support for Cubism, a fine time series charting library based on d3.js. Cubism provides support for an innovative charting type, the horizon charts:
A very cool live demo where a Jolokia JavaScript client fetches live data from our servers and plot it with Cubism can be found on this demo page. The documentation can be found in the reference manual.
Jolokia uses also a GitHub workflow build in addition to our own CI Server. (Did I mentioned already, that we have a quite I high Sonar score ?).
That's it for now. The next months of my open-source work will be spent now on Ají, Jolokia's new fancy sister. Sorry for pushing thinks like notifications down the Jolokia back-log, but it's not forgotten.