JMX Proxy

Security Security in Jolokia is provided at two levels: The transport channel (HTTP) is secured the standard way as it is defined in the Jakarta EE specifications. The agent itself can be configured to use a very fine grained policy which can restrict access on the MBean level for various parameters.

In especially, the policy can restrict access to:

  • certain client host IPs (v4 or v6) or subnets

  • certain Jolokia operations (read, write, exec, list, search, notification)

  • specific MBean attributes (read and write) and operations

The security definitions support a wildcard notation and allow/deny sections similar to the security setup of an Apache HTTP-Server.

Example

The following example shows a sample policy file:

<restrict>

  <remote>
    <host>127.0.0.1</host>
    <host>localhost</host>
    <host>10.0.0.0/16</host>
    <host>2001:db8::/32</host>
    <host>[::ffff:7f00:1]</host>
  </remote>

  <cors>
    <allow-origin>https://www.jmx4perl.org</allow-origin>
    <allow-origin>*.jolokia.org</allow-origin>
  </cors>

  <commands>
    <command>read</command>
    <command>write</command>
  </commands>

  <allow>
    <mbean>
      <name>java.lang:type=Memory</name>
      <attribute mode="read">Verbose</attribute>
      <operation>gc</operation>
    </mbean>

    <mbean>
      <name>jolokia:type=Config</name>
      <operation>*</operation>
    </mbean>
    <mbean>
      <name>java.lang:type=Threading</name>
      <operation>findDeadlockedThreads</operation>
    </mbean>
  </allow>

  <deny>
    <mbean>
      <name>com.mchange.v2.c3p0:type=PooledDataSource,*</name>
      <attribute>properties</attribute>
    </mbean>
    <mbean>
      <name>jdk.management.jfr:type=FlightRecorder</name>
      <attribute>*</attribute>
      <operation>*</operation>
    </mbean>
  </deny>

</restrict>

This sample policy contains a list of remote hosts which are allowed to access this agent. The name can be given as IP or FQDN. A subnetmask can be given, too, for specifying a subnet for the access. The netmask can be given either in CIDR format (e.g "/16") or (for IPv4 only) has a full netmask (e.g. "/255.255.0.0").

The address to check is obtained from:

  • in WAR agent: jakarta.servlet.ServletRequest.getRemoteHost() or jakarta.servlet.ServletRequest.getRemoteAddr() depending on allowDnsReverseLookup configuration option

    • In Tomcat, the remote address value comes from java.net.Socket.getInetAddress() call

  • in JVM agent: com.sun.net.httpserver.HttpExchange.getRemoteAddress()

The list of allowed commands, which are given in <commands> section determine which Jolokia operations are allowed in general. For each command type present, the principle behaviour is allow this command for all MBeans. To remove an MBean (attribute/operation), a <deny> section has to be added. For each command type missing, the command is disabled by default. For certain MBeans it can be selectively be enabled by using an <allow> section below. Within the allow and deny sections, MBean names and attribute/operation names can be specified with a pattern using wildcards (?,*)

Next