tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shanti Suresh <sha...@umich.edu>
Subject Re: Tomcat HeapMemoryUsage MBean question
Date Fri, 07 Sep 2012 15:32:40 GMT
Ah, okay.  Thank you!

Also, what I would like to achieve is to have a secure jmxproxy servlet for
"set" operations.  But have no authentication and authorization for get
operations.
I tried might to "tighten" only the "set" operations of the "jmxproxy"
servlet by modifying manager/WEB-INF/web.xml as follows,  and it didn't
work.  I actually tried the url-pattern below with "/jmxproxy/?get*", but I
was still able to query successfully without a "401 Unauthorized" failure.
So I figured that I may not be using the right pattern.  A url-pattern of
"/jmxproxy/*" does return a 401 Unauthorized error message on "get".

-------snippet from manager/web.xml:-----
 <security-constraint>
    <web-resource-collection>
      <web-resource-name>JMX Proxy interface</web-resource-name>
      <url-pattern>/jmxproxy/?set*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>manager-jmx</role-name>
    </auth-constraint>
  </security-constraint>

-----end of snippet----

I am further restricting who may access the manager application in
"conf/Catalina/localhost/manager.xml" to localhost:

----manager.xml:----
<Context path="/manager" privileged="true"
         docBase="/opt/tomcat/mgmt/apache/webapps/manager">
   <Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.0\.0\.1"/>
</Context>
-------------

So I can somehow secure the "set" but open up the "get" and "qry", I will
be in happy curl-land.

Thanks.

                       -Shanti


On Fri, Sep 7, 2012 at 11:06 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Shanti,
>
> On 9/7/12 10:07 AM, Shanti Suresh wrote:
> > We are running v7.0.23.  So "key" I hope should do the trick.  But
> > it doesn't seem to be.
>
> Well, that feature was added in 7.0.27 and you are running 7.0.23. So
> you don't have a version that supports that feature. So upgrade if you
> want to use that new feature.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBKDX4ACgkQ9CaO5/Lv0PAqeQCgnKsti+7GM6TPXn6PuQcR1p11
> lgoAni83lEMf51nmyOKo2mXipUuxt0D2
> =6wCM
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message