You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Frans (JIRA)" <ji...@apache.org> on 2018/11/26 23:26:00 UTC

[jira] [Updated] (TOMEE-2294) Can't disable unauthenticated JMX on 1099

     [ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Frans updated TOMEE-2294:
-------------------------
    Description: 
ActiveMQ comes bundled with a JMX host that is default on unauthenticated on port 1099.
{code:java}
<Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
  BrokerXmlConfig = broker:(vm://broker)?useJmx=false
  ServerUrl = vm://broker
</Resource>{code}
Tomee's resource configuration doesn't allow this to be disabled. The above doesn't work.

This can be disabled by inspecting an activemq jar's manifest, pulling down the same version of activemq-all, and putting that in the tomee/lib directory, at which point this works:
{code:java}
<Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
  BrokerXmlConfig = xbean:file:activemq.xml
  ServerUrl = vm://broker
</Resource>
{code}
{code:java}
  <broker xmlns="http://activemq.apache.org/schema/core"
          useJmx="false"
          brokerName="broker"
          useShutdownHook="false"
          persistent="true"
          start="true"
          schedulerSupport="false"
          enableStatistics="false"
          offlineDurableSubscriberTimeout="259200000"
          offlineDurableSubscriberTaskSchedule="3600000">
{code}
However, convincing the guy hosting the server to inspect JAR manifests, pull down specific jars, and maintain a second configuration file seems like a lot of effort to go to just to have the ability to disable unauthenticated access to every MBean in the VM

  was:
ActiveMQ comes bundled with a JMX host that is default on authenticated on port 1099.
{code:java}
<Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
  BrokerXmlConfig = broker:(vm://broker)?useJmx=false
  ServerUrl = vm://broker
</Resource>{code}
Tomee's resource configuration doesn't allow this to be disabled. The above doesn't work.

This can be disabled by inspecting an activemq jar's manifest, pulling down the same version of activemq-all, and putting that in the tomee/lib directory, at which point this works:
{code:java}
<Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
  BrokerXmlConfig = xbean:file:activemq.xml
  ServerUrl = vm://broker
</Resource>
{code}
{code:java}
  <broker xmlns="http://activemq.apache.org/schema/core"
          useJmx="false"
          brokerName="broker"
          useShutdownHook="false"
          persistent="true"
          start="true"
          schedulerSupport="false"
          enableStatistics="false"
          offlineDurableSubscriberTimeout="259200000"
          offlineDurableSubscriberTaskSchedule="3600000">
{code}
However, convincing the guy hosting the server to inspect JAR manifests, pull down specific jars, and maintain a second configuration file seems like a lot of effort to go to just to have the ability to disable unauthenticated access to every MBean in the VM


> Can't disable unauthenticated JMX on 1099
> -----------------------------------------
>
>                 Key: TOMEE-2294
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2294
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>            Reporter: Frans
>            Priority: Major
>             Fix For: 8.0.0-Final
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on port 1099.
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
>   BrokerXmlConfig = broker:(vm://broker)?useJmx=false
>   ServerUrl = vm://broker
> </Resource>{code}
> Tomee's resource configuration doesn't allow this to be disabled. The above doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down the same version of activemq-all, and putting that in the tomee/lib directory, at which point this works:
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
>   BrokerXmlConfig = xbean:file:activemq.xml
>   ServerUrl = vm://broker
> </Resource>
> {code}
> {code:java}
>   <broker xmlns="http://activemq.apache.org/schema/core"
>           useJmx="false"
>           brokerName="broker"
>           useShutdownHook="false"
>           persistent="true"
>           start="true"
>           schedulerSupport="false"
>           enableStatistics="false"
>           offlineDurableSubscriberTimeout="259200000"
>           offlineDurableSubscriberTaskSchedule="3600000">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull down specific jars, and maintain a second configuration file seems like a lot of effort to go to just to have the ability to disable unauthenticated access to every MBean in the VM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)