db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Knut Anders Hatlen (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-5637) Document Derby's JMX capabilities and how to disable them
Date Wed, 07 Mar 2012 16:58:57 GMT

    [ https://issues.apache.org/jira/browse/DERBY-5637?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13224502#comment-13224502

Knut Anders Hatlen commented on DERBY-5637:

> We should document (...) how to disable/restrict access to them in security-conscious

I'm aware of the following ways to disable the MBeans:

1) Use the stopManagement() method of ManagementMBean. This method unregisters all of Derby's
MBeans except ManagementMBean itself, so it doesn't turn it off completely.

2) Run the network server with a custom security policy which doesn't grant derby.jar the
permissions needed to register MBeans. For example by modifying the network server's basic
policy (http://db.apache.org/derby/docs/dev/adminguide/tadminnetservbasic.html) by commenting
out this section:

// Allows access to Derby's built-in MBeans, within the domain
// org.apache.derby.
// Derby must be allowed to register and unregister these MBeans.
// It is possible to allow access only to specific MBeans, attributes or 
// operations. To fine tune this permission, see the javadoc of 
// javax.management.MBeanPermission or the JMX Instrumentation and Agent 
// Specification. 
  permission javax.management.MBeanPermission 

If the permission to register MBeans isn't granted to derby.jar, JMXManagementService.jmxRegister()
will silently ignore any requests to register MBeans, as can be seen from this catch block
in said method:

        } catch (SecurityException se) {
            // If we can't register the MBean then so be it.
            // The application can later enabled the MBeans
            // by using org.apache.derby.mbeans.Management
> Document Derby's JMX capabilities and how to disable them
> ---------------------------------------------------------
>                 Key: DERBY-5637
>                 URL: https://issues.apache.org/jira/browse/DERBY-5637
>             Project: Derby
>          Issue Type: Improvement
>          Components: Documentation, JMX
>    Affects Versions:
>            Reporter: Rick Hillegas
>            Assignee: Kim Haase
> Derby's JMX beans are useful, although limited. We should document their capabilities
as well as how to disable/restrict access to them in security-conscious environments.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message