jmx4perl knows since some time how to restrict access to the agent (and soon proxy) servlet based on various criteria. However, this feature is unfortunately not yet well documented and a little bit hidden. This blog describes the nifty details and future roadmap.
Access restrictions are described within an XML-document which is included in the agent servlet
j4p.war. The out-of-the-stock
j4p.war doesn’t include any restrictions. There are two ways for adding
j4p-access.xml to the servlet.
The agent servlet can be easily rebuild out of the source distribution. The only prerequisites building the agent servlet are a JDK (>= 1.5) and a ant (the
make in the Java world) installation:
j4p-access.xmlaccording to you needs. More on this below.
ant. This will build a
j4p.warin the current directory with
j4p-access.xmlincluded at the right place.
Alternatively you could extract a distributed
j4p.war, add a
j4p-access.xml and repackage
mkdir j4p cd j4p jar xvf ../j4p.war cp ~/jmx4perl-src/agent/j4p-access-template.xml j4p-access.xml vi j4p-access.xml jar cvf ../j4p.war *
The best starting point is to have a look at
j4p-access-temlate.xml in the source distribution which contains some usage examples and should more or less self explanatory. Access can be restricted based on various parameters:
<j4p-restrict> <remote> <host>localhost</host> <host>10.0.0.0/16</host> </remote> <commands> <command>read</command> <command>exec</command> </commands> <mbeans> <mbean> <name>java.lang:type=Memory</name> <attribute>HeapMemoryUsage</attribute> <attribute mode="read">Verbose</attribute> <operation>gc</operation> </mbean> </mbeans> </j4p-restrict>
First you can restrict access based on the client IP address. If a section
<remote> is given, then access is only granted to all hosts given within the
<host> tags. Whole subnets can be provided with a subnet postfix like
/24. The address can be given in numeric form (in which case a DNS lookup is saved) or as a name. If this section is missing, all clients are allowed to access the agent.
Restrictions can be set globally for certain commands. Use
<commands> to start this sections and add commands with the
<command> tag. Only the mentioned commands are allowed to execute. Known commands are:
<commands> section is missing, no command based restrictions apply.
Finally, restrictions can be set to certain MBeans and their attributes and operations. Within the
<mbeans> section multiple
<mbean> tags can be given. A
<mbean> section includes a
<name> specificiation which contains the fully qualified object name of the MBean for which access is granted. Additional
<operation> tags can further restrict access to certain attributes and operations, respectively. If no
<operation> is given within a
<mbean> declaration, then access is granted to the whole MBean. If
<attribute> contains an attribute
mode="read", then only read access is granted for this attribute. If
<mbeans> are given, then access is granted to the specified MBeans only. Otherwise, access to all MBeans are allowed.
Along with the forthcoming proxy mode, access could be restricted on the target server as well as allowing the agent servlet to proxy only to certain targets. Another idea is to extend this security mechanism with a backing store, so that access restriction could be added dynamically during runtime.
Do you have additional feature requests concerning access restrictions for the jmx4perl agent servlet ?