Menu
I don't want to bother with SSL and passwords each time, but still don't want my program's JMX functionality reachable by others on the LAN.
I populated my ~/.java.policy thus:
grant principal javax.management.remote.JMXPrincipal "*" {
permission java.net.SocketPermission "127.0.0.1", "accept";
permission java.net.SocketPermission "my.lan.ip.addr", "accept";
permission java.net.SocketPermission "another.lan.ip.addr", "accept";
permission java.net.SocketPermission "*", "resolve";
}
Unfortunately, this does not seem to have an effect -- when the program is started with:
-Djava.security.manager-Dcom.sun.management.jmxremote.ssl=false-Dcom.sun.management.jmxremote.authenticate=false-Dcom.sun.management.jmxremote-Dcom.sun.management.jmxremote.port=1234its JMX functionality remains accessible from anywhere, not just from the few IPs listed.
How to do it correctly? Thank you!
664
I think this is not Possible.
The JMXPrincipal, the source code of e.g. OpenJDK JMX classes show that you always require a user/role a wildcard does not imply that you don't need a user/ authentication.
Also all other classes (in the JMX Package) don't instantiate a Socket which uses the java.net.SocketPermission class. The javax.management.remote.rmi.RMIConnectorServer which is the only class which extends JMXConnectorServer and which is instantiated after the VM command line parameters are read uses the SocketPermission, via the LoaderHandler. Also looking at the policy examples from the OpenJDK there there you can either restrict JMX access to a user/role or you can restrict the general access the JVM via permission java.net.SocketPermission
update one day later
after thinking a while about it maybe using only SockePermission may work. If you look into the code you can specify port ranges. Unfortunately it is not possible to specify a network address with its mask, but you could in general allow all IP's access to all port except the JMX port and afterwards add permissions for your IP. This also requires that you start you java process with
-Dcom.sun.management.jmxremote.port=9010
-Dcom.sun.management.jmxremote.rmi.port=9010
and then the permission would look like this
grant {
permission java.net.SocketPermission "*:1-9009", "listen,resolve,connect,accept";
permission java.net.SocketPermission "*:9011-65535", "listen,resolve,connect,accept";
permission java.net.SocketPermission "127.0.0.1:9010", "accept";
permission java.net.SocketPermission "my.lan.ip.addr:9010", "accept";
permission java.net.SocketPermission "another.lan.ip.addr:9010", "accept";
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
