db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Db-derby Wiki] Update of "DerbyJMXQuickStart" by JohnHEmbretsen
Date Fri, 18 Apr 2008 08:09:17 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Db-derby Wiki" for change notification.

The following page has been changed by JohnHEmbretsen:
http://wiki.apache.org/db-derby/DerbyJMXQuickStart

The comment on the change is:
Added some more JMX authorization info/examples

------------------------------------------------------------------------------
  
  For more information about the system properties used above and potential security risks,
see [http://java.sun.com/javase/6/docs/technotes/guides/management/agent.html the Java SE
Monitoring and Management Guide].
  
+ === Simple authorization ===
+ Some JVMs support a simple access file system for controlling JMX access. An access file
is formatted the same way as password files (described above), and associates roles with an
access level. Valid access levels are `readonly` and `readwrite`, where `readonly` only allows
the JMX client to read an MBean's attributes and receive notifications. `readwrite` also allows
setting attributes, invoking operations, and MBean creation/removal.
+ 
+ To use an access file for JMX authorization, you may specify the name of the access file
using a system property upon JVM startup:
+ {{{
+ -Dcom.sun.management.jmxremote.access.file=jmxremote.access
+ }}}
+ The contents of such an access file may look like this:
+ {{{
+ monitorRole   readonly
+ controlRole   readwrite
+ }}}
+ 
+ For more information, see [http://java.sun.com/javase/6/docs/technotes/guides/management/agent.html
the Java SE Monitoring and Management Guide].
  
  [[Anchor(SecurityPolicy)]]
  === Fine-grained authorization: Security policy ===
@@ -247, +261 @@

  
  }}}
  
+ For a full version of the above example policy, see the attachment attachment:jmx-example.policy
(use ''Save as...'').
+ 
  Note that in the example above the system property `derby.install.url` is used to tell the
security manager/policy implementation where to find the codebases `derby.jar` and `derbynet.jar`.
Using a property provides flexibility - however, you may avoid the use of such a property
by specifying the full codebase URLs directly in the policy file. The value of this property
may be specified on the command line, for example
  {{{
  -Dderby.install.url=file:/home/user/derby/10.4.1.3/lib/
@@ -272, +288 @@

  {{{
  -Djava.security.debug=access:failure
  }}}
- when starting the Derby Network Server from the command line will print lots of output to
the console which allows you to find out specifically which permissions are granted and which
are missing when a failure occurs. It may be wise to store the output in a file and search
through it afterwards.
+ when starting the Derby Network Server from the command line will print lots of output to
the console which allows you to find out specifically which permissions are granted and which
are missing when a failure occurs. Due to the amount of output generated when setting the
debug flag, it may be wise to store the output in a file and search through it afterwards.
  
  For example, to find out details about a missing permission, search for the text "`access
denied`" in the output, and you will see something like
  {{{
@@ -297, +313 @@

  
  `org.apache.derby.security.SystemPermission "engine", "monitor"`,
  
- as the JMX client was accessing the `VersionString` attribute of the `VersionMBean` for
derby.jar.
+ as the JMX client was accessing the `VersionString` attribute of the `VersionMBean` for
derby.jar. In this example, JMX user authentication was disabled, hence `<no principals>`.
  
  
  [[Anchor(JConsoleAccess)]]

Mime
View raw message