db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Knut Anders Hatlen (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-5637) Document Derby's JMX capabilities and how to disable them
Date Wed, 07 Mar 2012 16:58:57 GMT

    [ https://issues.apache.org/jira/browse/DERBY-5637?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13224502#comment-13224502
] 

Knut Anders Hatlen commented on DERBY-5637:
-------------------------------------------

> We should document (...) how to disable/restrict access to them in security-conscious
environments.

I'm aware of the following ways to disable the MBeans:

1) Use the stopManagement() method of ManagementMBean. This method unregisters all of Derby's
MBeans except ManagementMBean itself, so it doesn't turn it off completely.

2) Run the network server with a custom security policy which doesn't grant derby.jar the
permissions needed to register MBeans. For example by modifying the network server's basic
policy (http://db.apache.org/derby/docs/dev/adminguide/tadminnetservbasic.html) by commenting
out this section:

// Allows access to Derby's built-in MBeans, within the domain
// org.apache.derby.
// Derby must be allowed to register and unregister these MBeans.
// It is possible to allow access only to specific MBeans, attributes or 
// operations. To fine tune this permission, see the javadoc of 
// javax.management.MBeanPermission or the JMX Instrumentation and Agent 
// Specification. 
//
  permission javax.management.MBeanPermission 
      "org.apache.derby.*#[org.apache.derby:*]",
      "registerMBean,unregisterMBean";

If the permission to register MBeans isn't granted to derby.jar, JMXManagementService.jmxRegister()
will silently ignore any requests to register MBeans, as can be seen from this catch block
in said method:

        } catch (SecurityException se) {
            // If we can't register the MBean then so be it.
            // The application can later enabled the MBeans
            // by using org.apache.derby.mbeans.Management
        }
                
> Document Derby's JMX capabilities and how to disable them
> ---------------------------------------------------------
>
>                 Key: DERBY-5637
>                 URL: https://issues.apache.org/jira/browse/DERBY-5637
>             Project: Derby
>          Issue Type: Improvement
>          Components: Documentation, JMX
>    Affects Versions: 10.9.0.0
>            Reporter: Rick Hillegas
>            Assignee: Kim Haase
>
> Derby's JMX beans are useful, although limited. We should document their capabilities
as well as how to disable/restrict access to them in security-conscious environments.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message