db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Db-derby Wiki] Update of "DerbyJMXQuickStart" by JohnHEmbretsen
Date Tue, 22 Apr 2008 07:28:27 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Db-derby Wiki" for change notification.

The following page has been changed by JohnHEmbretsen:
http://wiki.apache.org/db-derby/DerbyJMXQuickStart

------------------------------------------------------------------------------
  controlRole  derby
  }}}
  
- You may need to change the permissions on the password file to be readable only by the user
starting the server. To do this on windows use: 
+ The security of the password file relies on your file system's access control mechanisms.
The file must be readable by the owner only. Also, you may need to change the permissions
on the password file to be readable only by the user starting the server. To do this on Windows
(NTFS) use: 
  {{{ cacls jmxremote.password /P <username>:R }}}
+ 
+ ''[http://en.wikipedia.org/wiki/FAT32 FAT file systems] do not support this feature ([http://java.sun.com/javase/6/docs/technotes/guides/management/security-windows.html
details]).''
  
  The following example starts the Derby Network Server on the command line with built-in
JMX password authentication enabled. 
  
@@ -153, +155 @@

  === Fine-grained authorization: Security policy ===
  
  When starting the Derby Network Server from the command line, it installs a security manager
and a basic security policy by default. This policy includes the required permissions to allow
JMX users to access Derby's MBeans if JMX user authentication is ''disabled''. If JMX user
authentication is ''enabled'', you may need to grant additional permissions to specific users
(JMXPrincipals).
+ 
+ The `NetworkServerMBean`'s '''ping''' operation requires that an additional permission is
granted to `derbynet.jar`, that is not included in the default security policy:
+ {{{
+     // If the server is listening on the loopback interface only (default).
+     permission java.net.SocketPermission "localhost", "connect,resolve";
+ }}}
+ {{{
+     // If the server's network interface setting (-h or derby.drda.host) is non-default.
+     // Note: Allows outbound connections to any host!
+     permission java.net.SocketPermission "*", "connect,resolve";
+ }}}
  
  If you are using a custom security policy, refer to the [http://db.apache.org/derby/javadoc/publishedapi/
public API] of Derby's MBeans and Derby's template security policy file ($DERBY_HOME/demo/templates/server-policy)
for details about the permissions you may need to set to allow or restrict specific JMX access.
See also ["JMXSecurityExpectations"]. This also applies if you are running Derby embedded
with a security manager installed.
  

Mime
View raw message