tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat HeapMemoryUsage MBean question
Date Fri, 07 Sep 2012 17:54:20 GMT
Hash: SHA1


On 9/7/12 11:32 AM, Shanti Suresh wrote:
> Also, what I would like to achieve is to have a secure jmxproxy 
> servlet for "set" operations.  But have no authentication and 
> authorization for get operations.

I personally think that's a bad idea: just set some simple username
and password and have your client use it: any decent command-line HTTP
client should support HTTP BASIC authentication.

> I tried might to "tighten" only the "set" operations of the 
> "jmxproxy" servlet by modifying manager/WEB-INF/web.xml as
> follows, and it didn't work.  I actually tried the url-pattern
> below with "/jmxproxy/?get*", but I was still able to query
> successfully without a "401 Unauthorized" failure. So I figured
> that I may not be using the right pattern.  A url-pattern of
> "/jmxproxy/*" does return a 401 Unauthorized error message on
> "get".
> -------snippet from manager/web.xml:----- <security-constraint> 
> <web-resource-collection> <web-resource-name>JMX Proxy 
> interface</web-resource-name> 
> <url-pattern>/jmxproxy/?set*</url-pattern> 
> </web-resource-collection> <auth-constraint> 
> <role-name>manager-jmx</role-name> </auth-constraint> 
> </security-constraint>
> -----end of snippet----

You can't do that: the servlet spec's url-pattern matching only
matches the path of the URL and does not include the query string.

> I am further restricting who may access the manager application in
>  "conf/Catalina/localhost/manager.xml" to localhost:
> ----manager.xml:---- <Context path="/manager" privileged="true" 
> docBase="/opt/tomcat/mgmt/apache/webapps/manager"> <Valve 
> className="org.apache.catalina.valves.RemoteAddrValve" 
> allow="127\.0\.0\.1"/> </Context> -------------

That's good.

> So I can somehow secure the "set" but open up the "get" and "qry", 
> I will be in happy curl-land.

Log it as an enhancement request in Bugzilla. I proposed this kind of
thing a few months ago though I can't seem to find the thread at the
moment. It was mildly rejected due to lack of interest, but but it
seems we have a real use-case where a user wants this capability.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message