better Security for MBean Policy

It would be great to extend the allow deny policy for MBeans

Currently it seems that access to all MBeans is allowed if you have read access and don't specify the others explicitly.
Therefore a more strict Approach would be good without having to write your own code as outlined in the Manual:
'''It is recommended to subclass either org.jolokia.restrictor.AllowAllRestrictor or org.jolokia.restrictor.DenyAllRestrictor.'''

i.e.
deny -> all MBeans
allow -> only the MBeans specified
order -> deny,allow or allow,deny

The Reference Manual is rather unclear which restrictor is used when.
like http://httpd.apache.org/docs/2.4/mod/mod_access_compat.html#order

Markus , 08.08.2012, 16:36

Idea status: under consideration

Comments

Markus, 09.08.2012, 10:47

seems the workaround is to deny al commands and allow them afterwords.

..
..

jolokia, 09.08.2012, 11:01

IMO this is not a workaround, but exactly the way how it is supposed to work:

* For any command given in the section one can explicitely forbid access for certain MBean attribute/commands, all other are allowed.
* For any command missing in one can explicitely switch on access for certain MBean attribute/commands, all others are forbidden.

But you are probably right, this should be more clear in the reference manual.

For further discussion, please use the Forum at www.jolokia.org, that's the more visible (and better place)

Bogdan, 05.09.2012, 20:11

Another alternative for acsescing JMX from a Nagios Host is . It provides an agent based access to the MBeans, where a Servlet is hooked up to access the MBeanServer for exporting JMX Information via HTTP and JSON. So, no Java installation is required on the Nagios Host (as for jboss2nagios). Some Features of the included Nagios Plugin check_jmx4perl are* Access to JMX attributes and return values of JMX operations for monitoring purposes * Incremental mode for monitoring the velocity of value changes, e.g. the growth rate of the thread count * Relative monitoring of values by providing a base value attribute, e.g. for checking that the memory used is below 80% of the available memory * Deep access to arbitrary Java bean attributes, e.g. the statistics values of a JSR77 Stats object * Alias names for common attributes and operations * Selective access to a predefined set of MBeans by providing an access policy file to the agent servlet* Tested on JBoss 4.2.3 GA & 5.1.0 GA, Oracle Weblogic 9.2 MP3 & 10.0.2.0, IBM Websphere 6.1 & 7.0, Jonas 4.10.3 (with Jetty 5.1.10 and Tomcat 5.5.26), Apache Geronimo 2.1.4 (Jetty 6 and Tomcat 6), Glassfish 2.1, Apache Tomcat 4.1.39, 5.5.27 & 6.0.18 and Jetty 5.1.15 & 6.1.18 (with JMX enabled). It's actively supported and developed and even professional support is available. The plugin itself is released under the GPL.As I'm the author, I highly appreciate any feedback and usage reports. You might consider to give it a try ...

bsfpvpq, 06.09.2012, 11:17

dG8uUl ychukzbxgbjf

rojhfja, 07.09.2012, 16:14

T6wz4p , [url=http://ghxkjteucuvv.com/]ghxkjteucuvv[/url], [link=http://hzxbjvklxicm.com/]hzxbjvklxicm[/link], http://ficfldzyaugu.com/

mbdvyk, 08.09.2012, 05:31

rwRHBH zasjcadtxivx

iuxrge, 08.09.2012, 21:03

F7OZhp , [url=http://amwjywkxjdbf.com/]amwjywkxjdbf[/url], [link=http://llzstllenssv.com/]llzstllenssv[/link], http://fnlorcqzypfo.com/

Without registration

Name		Required
e-mail		Required

Login		Use 3 to 18 characters, Latin characters or numbers	This login is not availableThis login is available
e-mail
Password		Use 3 to 18 characters, Latin characters or numbers
Re-type password
	Remember me

	Sign up


E-mail

better Security for MBean Policy

Comments

Leave a comment