You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Frans (Jira)" <ji...@apache.org> on 2020/05/08 06:47:00 UTC

[jira] [Comment Edited] (TOMEE-2294) Can't disable unauthenticated JMX on 1099

    [ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17102312#comment-17102312 ] 

Frans edited comment on TOMEE-2294 at 5/8/20, 6:46 AM:
-------------------------------------------------------

[~jgallimore] I want to:
 # Disable ActiveMQ's unsecured JMX
 # Enable a JMX port with authentication
 # Poll that with credentials, to monitor my application

I'm using openejb.xml rather than tomee.xml as it was part of the tutorial I followed to get TomEE working initially. If you think switching the name of the config file over will help, I'll give it a shot.

As noted above, changing the version of ActiveMQ to activemq-all and using the broker configuration it uses.

Having broker:(vm://broker)?useJmx=false or broker:(vm://broker) both result in the open port.

The line used to run TomEE is:
{code:java}
@rem this is the TomEE dir
set CATALINA_HOME=XXset CLASSPATH=%JAVA_HOME%\lib\tools.jar
set CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\bootstrap.jar
set CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\tomcat-juli.jarset MAINCLASS=org.apache.catalina.startup.Bootstrapset JAVA_OPTS=-Duser.country=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Duser.language=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Duser.timezone=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:-OmitStackTraceInFastThrow
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:+HeapDumpOnOutOfMemoryError
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:MaxMetaspaceSize=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:+PrintGCDetails
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:+PrintGCDateStamps
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:+UseGCLogFileRotation
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:NumberOfGCLogFiles=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:GCLogFileSize=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Xloggc:XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Dcatalina.base="%CATALINA_BASE%"
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Dcatalina.home="%CATALINA_HOME%"
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djava.endorsed.dirs="%JAVA_ENDORSED_DIRS%"
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djava.io.tmpdir="%CATALINA_TMPDIR%"
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Dfile.encoding=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djava.net.preferIPv4Stack=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djavax.xml.stream.XMLInputFactory=com.sun.xml.internal.stream.XMLInputFactoryImpl
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djavax.xml.stream.XMLOutputFactory=com.sun.xml.internal.stream.XMLOutputFactoryImpl
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djavax.xml.parsers.DocumentBuilderFactory=com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djavax.xml.parsers.SAXParserFactory=com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Xbootclasspath/p:XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djdk.tls.client.protocols=%TLS_CLIENT_PROTOCOLS%
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djava.util.logging.config.file=XX
set CMDLINE=%JAVA_VM% %MEM_ARGS% %JAVA_OPTS% %* -classpath "%CLASSPATH%" %MAINCLASS% start
"%JAVA_HOME%\bin\java" %CMDLINE%{code}
When I can get rid of the 1099 port, I'll need to add in the JMX parameters again, or configure them elsewhere.

server.xml contains
{code:java}
   <Listener
    className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" 
    rmiRegistryPortPlatform="XX"
    rmiServerPortPlatform="XX" />{code}
Both of these ports are configured, and neither of them are 1099


was (Author: henskens):
[~jgallimore] I want to:
 # Disable ActiveMQ's unsecured JMX
 # Enable a JMX port with authentication
 # Poll that with credentials, to monitor my application

I'm using openejb.xml rather than tomee.xml as it was part of the tutorial I followed to get TomEE working initially. If you think switching the name of the config file over will help, I'll give it a shot.

As noted above, changing the version of ActiveMQ to activemq-all and using the broker configuration it uses.

Having broker:(vm://broker)?useJmx=false or broker:(vm://broker) both result in the open port.

The line used to run TomEE is:
{code:java}
@rem this is the TomEE dir
set CATALINA_HOME=XXset CLASSPATH=%JAVA_HOME%\lib\tools.jar
set CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\bootstrap.jar
set CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\tomcat-juli.jarset MAINCLASS=org.apache.catalina.startup.Bootstrapset JAVA_OPTS=-Duser.country=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Duser.language=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Duser.timezone=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:-OmitStackTraceInFastThrow
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:+HeapDumpOnOutOfMemoryError
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:MaxMetaspaceSize=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:+PrintGCDetails
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:+PrintGCDateStamps
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:+UseGCLogFileRotation
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:NumberOfGCLogFiles=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:GCLogFileSize=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Xloggc:XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Dcatalina.base="%CATALINA_BASE%"
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Dcatalina.home="%CATALINA_HOME%"
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djava.endorsed.dirs="%JAVA_ENDORSED_DIRS%"
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djava.io.tmpdir="%CATALINA_TMPDIR%"
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Dfile.encoding=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djava.net.preferIPv4Stack=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djavax.xml.stream.XMLInputFactory=com.sun.xml.internal.stream.XMLInputFactoryImpl
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djavax.xml.stream.XMLOutputFactory=com.sun.xml.internal.stream.XMLOutputFactoryImpl
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djavax.xml.parsers.DocumentBuilderFactory=com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djavax.xml.parsers.SAXParserFactory=com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Xbootclasspath/p:XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djdk.tls.client.protocols=%TLS_CLIENT_PROTOCOLS%
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djava.util.logging.config.file=XX
set CMDLINE=%JAVA_VM% %MEM_ARGS% %JAVA_OPTS% %* -classpath "%CLASSPATH%" %MAINCLASS% start
"%JAVA_HOME%\bin\java" %CMDLINE%{code}
When I can get rid of the 1099 port, I'll need to add in the JMX parameters again, or configure them elsewhere.

server.xml contains
{code:java}
   <Listener
    className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" 
    rmiRegistryPortPlatform="XX"
    rmiServerPortPlatform="XX" />{code}
Both of these ports are configured, and none of them are 1099

> Can't disable unauthenticated JMX on 1099
> -----------------------------------------
>
>                 Key: TOMEE-2294
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2294
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>            Reporter: Frans
>            Priority: Major
>             Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on port 1099.
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
>   BrokerXmlConfig = broker:(vm://broker)?useJmx=false
>   ServerUrl = vm://broker
> </Resource>{code}
> Tomee's resource configuration doesn't allow this to be disabled. The above doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down the same version of activemq-all, and putting that in the tomee/lib directory, at which point this works:
> {code:java}
> <Resource id="JmsResourceAdapter" type="ActiveMQResourceAdapter">
>   BrokerXmlConfig = xbean:file:activemq.xml
>   ServerUrl = vm://broker
> </Resource>
> {code}
> {code:java}
>   <broker xmlns="http://activemq.apache.org/schema/core"
>           useJmx="false"
>           brokerName="broker"
>           useShutdownHook="false"
>           persistent="true"
>           start="true"
>           schedulerSupport="false"
>           enableStatistics="false"
>           offlineDurableSubscriberTimeout="259200000"
>           offlineDurableSubscriberTaskSchedule="3600000">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull down specific jars, and maintain a second configuration file seems like a lot of effort to go to just to have the ability to disable unauthenticated access to every MBean in the VM



--
This message was sent by Atlassian Jira
(v8.3.4#803005)