You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Frans (Jira)" <ji...@apache.org> on 2020/05/05 01:51:00 UTC
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX
on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17099482#comment-17099482 ]
Frans commented on TOMEE-2294:
------------------------------
[~rzo1] I've just tried updating to TomEE 8.0.1, and the issue persists.
In openejb.xml:
{code:java}
<Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
BrokerXmlConfig = broker:(vm://broker)?useJmx=false
ServerUrl = vm://broker
</Resource>{code}
Then, in the tomcat.log on startup:
{code:java}
200 05-May-2020 11:49:12.913 INFO [JMX connector] org.apache.activemq.broker.jmx.ManagementContext$1.run JMX consoles can connect to service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi{code}
I checked this in JConsole, and it is still there, an unauthenticated open JMX port.
> Can't disable unauthenticated JMX on 1099
> -----------------------------------------
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
> Reporter: Frans
> Priority: Major
> Fix For: 8.0.2
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on port 1099.
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> </Resource>{code}
> Tomee's resource configuration doesn't allow this to be disabled. The above doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down the same version of activemq-all, and putting that in the tomee/lib directory, at which point this works:
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
> </Resource>
> {code}
> {code:java}
> <broker xmlns="http://activemq.apache.org/schema/core"
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="259200000"
> offlineDurableSubscriberTaskSchedule="3600000">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull down specific jars, and maintain a second configuration file seems like a lot of effort to go to just to have the ability to disable unauthenticated access to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)