You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Frans (Jira)" <ji...@apache.org> on 2020/06/16 00:34:00 UTC
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX
on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17136214#comment-17136214 ]
Frans commented on TOMEE-2294:
------------------------------
[~jgallimore] I've had a go with tomee-8. Historically I've been using the apache-catalina-remote-X.jar jmx connectors which have been merged in to catalina.jar, and changed so that very specific settings need to be set on jmx.a and jmx.p before JMX will work. I've managed to get this working locally, but it didn't help with the 1099 issue.
[~rzo1] switching back to tomee 7.1.2 (and now 7.1.3), I found that if I took the project and stripped it back to the absolute bare minimum of function, 1099 did not appear.
However, as noted in the initial bug report, if I inspect the jar, find the version of ActiveMQ being used, pull down activemq-all and use the different settings, 1099 also does not appear, and the jmx settings configured in JAVA_OPTS, only the secured port specified in JAVA_OPTS works.
I'm now trying to get the pared back example and add in sections of the code. When something causes 1099 to trigger, I'll pare that part back until it disappears again. Hopefully I'll be able to report back what thing is causing 1099 to show up in the pared-back ActiveMQ jar.
> Can't disable unauthenticated JMX on 1099
> -----------------------------------------
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
> Reporter: Frans
> Priority: Major
> Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on port 1099.
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> </Resource>{code}
> Tomee's resource configuration doesn't allow this to be disabled. The above doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down the same version of activemq-all, and putting that in the tomee/lib directory, at which point this works:
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
> </Resource>
> {code}
> {code:java}
> <broker xmlns="http://activemq.apache.org/schema/core"
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="259200000"
> offlineDurableSubscriberTaskSchedule="3600000">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull down specific jars, and maintain a second configuration file seems like a lot of effort to go to just to have the ability to disable unauthenticated access to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)