[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136682#comment-17136682
]
Frans commented on TOMEE-2294:
--
Just tried it again to confirm that I am not going crazy and the TomEE version
I'm working in is actually 7.1.3. It definitely is
Here it is with the system property commented out:
16-Jun-2020 22:17:22.916 INFO [localhost-startStop-1]
org.apache.openejb.assembler.classic.Assembler.startEjbs Started
Ejb(deployment-id=X, ejb-name=X, container=MessageDrivenContainer)
16-Jun-2020 22:17:22.919 INFO [localhost-startStop-1]
org.apache.openejb.assembler.classic.Assembler.createApplication Deployed
Application(path=C:localserver\webapps\ROOT)
16-Jun-2020 22:17:22.951 WARNING [JmsResourceAdapter-worker- - 2]
org.apache.activemq.broker.BrokerService.checkMemorySystemUsageLimits Memory
Usage for the Broker (1024mb) is more than the maximum available for the JVM:
981 mb - resetting to 70% of maximum available: 687 mb
16-Jun-2020 22:17:22.963 INFO [JmsResourceAdapter-worker- - 2]
org.apache.activemq.broker.BrokerService.doStartPersistenceAdapter Using
Persistence Adapter:
KahaDBPersistenceAdapter[C:localserver\conf\activemq-data\broker\KahaDB]
16-Jun-2020 22:17:22.979 INFO [JMX connector]
org.apache.activemq.broker.jmx.ManagementContext$1.run JMX consoles can connect
to service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi
16-Jun-2020 22:17:23.003 INFO [JmsResourceAdapter-worker- - 2]
org.apache.activemq.store.kahadb.MessageDatabase$Metadata.read KahaDB is
version 6
Uncommenting the property, the issue went away again.
16-Jun-2020 22:19:27.312 INFO [localhost-startStop-1]
org.apache.openejb.assembler.classic.Assembler.startEjbs Started
Ejb(deployment-id=X, ejb-name=X, container=MessageDrivenContainer)
16-Jun-2020 22:19:27.314 INFO [localhost-startStop-1]
org.apache.openejb.assembler.classic.Assembler.createApplication Deployed
Application(path=C:\localserver\webapps\ROOT)
16-Jun-2020 22:19:27.350 WARNING [JmsResourceAdapter-worker- - 1]
org.apache.activemq.broker.BrokerService.checkMemorySystemUsageLimits Memory
Usage for the Broker (1024mb) is more than the maximum available for the JVM:
981 mb - resetting to 70% of maximum available: 687 mb
16-Jun-2020 22:19:27.359 INFO [JmsResourceAdapter-worker- - 1]
org.apache.activemq.broker.BrokerService.doStartPersistenceAdapter Using
Persistence Adapter:
KahaDBPersistenceAdapter[C:\localserver\conf\activemq-data\broker\KahaDB]
16-Jun-2020 22:19:27.400 INFO [JmsResourceAdapter-worker- - 1]
org.apache.activemq.store.kahadb.MessageDatabase$Metadata.read KahaDB is
version 6
Setting the log level to FINEST and searching for that INFO text shows that
createConnector is first called just after
org.apache.activemq.broker.BrokerService.checkMemorySystemUsageLimits
Decompiling that class and following back the references to cMSUL shows that
the isUseJmx() property is checked just afterwards. I'm guessing this isn't set
by ?useJmx=
{code}
@Override
public void start() throws Exception {
if (stopped.get() || !started.compareAndSet(false, true)) {
// lets just ignore redundant start() calls
// as its way too easy to not be completely sure if start() has been
// called or not with the gazillion of different configuration
// mechanisms
// throw new IllegalStateException("Already started.");
return;
}
setStartException(null);
stopping.set(false);
preShutdownHooksInvoked.set(false);
startDate = new Date();
MDC.put("activemq.broker", brokerName);
try {
checkMemorySystemUsageLimits();
if (systemExitOnShutdown && useShutdownHook) {
throw new ConfigurationException("'useShutdownHook' property cannot be be used
with 'systemExitOnShutdown', please turn it off (useShutdownHook=false)");
}
processHelperProperties();
if (isUseJmx()) {
// need to remove MDC during starting JMX, as that would otherwise causes
leaks, as spawned threads inheirt the MDC and
// we cannot cleanup clear that during shutdown of the broker.
MDC.remove("activemq.broker");
try {
startManagementContext();
for (NetworkConnector connector : getNetworkConnectors()) {
registerNetworkConnectorMBean(connector);
}
} finally {
MDC.put("activemq.broker", brokerName);
}
}
// in jvm master slave, lets not publish over existing broker till we get the
lock
final BrokerRegistry brokerRegistry = BrokerRegistry.getInstance();
if (brokerRegistry.lookup(getBrokerName()) == null) {
brokerRegistry.bind(getBrokerName(), BrokerService.this);
}
startPersistenceAdapter(startAsync);
startBroker(startAsync);
brokerRegistry.bind(getBrokerName(), BrokerService.this);
} catch (Exception e) {
LOG.error("Failed to start Apache ActiveMQ ({}, {})", getBrokerName(),
brokerId, e);
try {
if (!stopped.get()) {
stop();
}
} catch (Exception ex) {
LOG.warn("Failed to stop broker after failure in start. This exception will be
ignored.", ex);
}
throw e;
} finally {
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136393#comment-17136393
]
Frans commented on TOMEE-2294:
--
As an alternative fix that doesn't require going into the ActiveMQ code, right
at the very start of initialising TomEE, you add in a method called
setSensibleDefaults() with this in it:
{code:java}
if ( StringUtils.isBlank( System.getProperty(
"org.apache.activemq.broker.jmx.createConnector" ) ) )
{
System.setProperty(
"org.apache.activemq.broker.jmx.createConnector", "false" );
} {code}
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136381#comment-17136381
]
Frans commented on TOMEE-2294:
--
[~jgallimore] I tried the update to 8.0.2 some weeks back, but we won't be
going ahead with that until I can figure out a better way of configuring the
JMX authentication.
All of the above was tested and confirmed on tomee 7.1.3
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136377#comment-17136377
]
Richard Zowalla commented on TOMEE-2294:
Thanks for the details and insights [~Henskens]
I think the relevant part for this on TomEE side is located in
[https://github.com/apache/tomee/blob/master/container/openejb-core/src/main/java/org/apache/openejb/resource/activemq/ActiveMQ5Factory.java]
(respectivley in
[https://github.com/apache/tomee/blob/master/container/openejb-core/src/test/java/org/apache/openejb/resource/activemq/ActiveMQ5FactoryTest.java]).
[~jgallimore] has added a call "setCreateConnector(false)" per default. See
also the related CVE: [https://nvd.nist.gov/vuln/detail/CVE-2020-11969]
But we might need to parse the content of ?useJmx= instead and set this
value inside the factory.
The question is:
* ?useJmx=false -> no unauthenticated JMX port on 1099 should be opened?
Current impl does call "setCreateConnector(false)".
* ?useJmx=true -> *what do we expect in this case?* Current impl -> no port is
opened (see CVE)
WDYT?
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136378#comment-17136378
]
Jonathan Gallimore commented on TOMEE-2294:
---
Could you verify any of TomEE 7.1.3, 7.0.8 or 8.0.2? I included a fix
specifically for this issue. It sounds like you tried 7.1.3, and had some
success there
Could you also drop me an email directly on jgallimore at apache dot org?
Thanks
Jon
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136316#comment-17136316
]
Frans commented on TOMEE-2294:
--
So, I would recommend changing lines 66-74 to
{code:java}
static {
String option = Boolean.FALSE.toString();
try {
option =
System.getProperty("org.apache.activemq.broker.jmx.createConnector", "false");
} catch (Exception ex) {
}DEFAULT_CREATE_CONNECTOR = Boolean.valueOf(option);
} {code}
and for now, I'll add that system property and set it to false.
And maybe add a call right at the start to setCreateConnector with the value
from ?useJmx=
I'm seeing 0 references to that method in my workspace.
Cheers,
Frans
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136310#comment-17136310
]
Frans commented on TOMEE-2294:
--
Okay! Finally some progress!
Looking at the log line
{code:java}
org.apache.activemq.broker.jmx.ManagementContext$1.run JMX consoles can connect
to service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi {code}
I browsed through the tomee jars until I found
org.apache.activemq.broker.jmx.ManagementContext in activemq-broker-5.15.10.jar
I used FernFlower to decompile the class, and found where the line was being
logged.
Scrolling around the class, I found that createConnector was the variable used
to toggle whether or not to enable the dodgy unauthenticated JMX port, which is
by default on connectorPort = 1099
createConnector defaults to true, and is overridden by a system property:
org.apache.activemq.broker.jmx.createConnector
{code:java}
/**
* Default activemq domain
*/
public static final String DEFAULT_DOMAIN = "org.apache.activemq";
static {
String option = Boolean.TRUE.toString();
try {
option =
System.getProperty("org.apache.activemq.broker.jmx.createConnector", "true");
} catch (Exception ex) {
}DEFAULT_CREATE_CONNECTOR = Boolean.valueOf(option);
}public static final boolean DEFAULT_CREATE_CONNECTOR;
{code}
So it appears that any call to ManagementContext.getMbeanServer() - of which
there are many - tries to find an mbean server
{code:java}
public MBeanServer getMBeanServer() {
if (this.beanServer == null) {
this.beanServer = findMBeanServer();
}
return beanServer;
}{code}
Which then creates one if it's not been initialised
{code:java}
protected synchronized MBeanServer findMBeanServer() {
MBeanServer result = null;try {
if (useMBeanServer) {
if (findTigerMbeanServer) {
result = findTigerMBeanServer();
}
if (result == null) {
// lets piggy back on another MBeanServer - we could be in
an appserver!
List list =
MBeanServerFactory.findMBeanServer(null);
if (list != null && list.size() > 0) {
result = list.get(0);
}
}
}
if (result == null && createMBeanServer) {
result = createMBeanServer();
}
} catch (NoClassDefFoundError e) {
LOG.error("Could not load MBeanServer", e);
} catch (Throwable e) {
// probably don't have access to system properties
LOG.error("Failed to initialize MBeanServer", e);
}
return result;
} {code}
And no matter whether it's looking for a tiger mbean server
{code:java}
public MBeanServer findTigerMBeanServer() {
String name = "java.lang.management.ManagementFactory";
Class type = loadClass(name,
ManagementContext.class.getClassLoader());
if (type != null) {
try {
Method method = type.getMethod("getPlatformMBeanServer", new
Class[0]);
if (method != null) {
Object answer = method.invoke(null, new Object[0]);
if (answer instanceof MBeanServer) {
if (createConnector) {
createConnector((MBeanServer)answer);
}
return (MBeanServer)answer;
} else {
LOG.warn("Could not cast: {} into an MBeanServer. There
must be some classloader strangeness in town", answer);
}
} else {
LOG.warn("Method getPlatformMBeanServer() does not appear
visible on type: {}", type.getName());
}
} catch (Exception e) {
LOG.warn("Failed to call getPlatformMBeanServer() due to: ", e);
}
} else {
LOG.trace("Class not found: {} so probably running on Java 1.4",
name);
}
return null;
} {code}
or creating a non-tiger mbean server
{code:java}
protected MBeanServer createMBeanServer() throws
MalformedObjectNameException, IOException {
MBeanServer mbeanServer =
MBeanServerFactory.createMBeanServer(jmxDomainName);
locallyCreateMBeanServer = true;
if (createConnector) {
createConnector(mbeanServer);
}
return mbeanServer;
}{code}
it still does a check on createConnector.
And because the useJmx=false flag isn't propagated through to the
setCreateConnector method before the first of these calls is made, and the hard
coded default for creating this JMX port is true
{code:java}
public void setCreateConnector(boolean createConnector) {
this.createConnector =
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136291#comment-17136291
]
Frans commented on TOMEE-2294:
--
here are some relevant tomcat log lines
{code:java}
16-Jun-2020 10:34:19.366 INFO [JmsResourceAdapter-worker- - 3]
org.apache.activemq.ra.ActiveMQEndpointWorker$1.run Establishing connection to
broker [vm://broker]
16-Jun-2020 10:34:19.377 INFO [localhost-startStop-1]
org.apache.openejb.assembler.classic.Assembler.startEjbs Started
Ejb(deployment-id=W, ejb-name=W, container=My Stateless Container)
16-Jun-2020 10:34:19.377 INFO [localhost-startStop-1]
org.apache.openejb.assembler.classic.Assembler.startEjbs Started
Ejb(deployment-id=X, ejb-name=X, container=MessageDrivenContainer)
16-Jun-2020 10:34:19.377 INFO [localhost-startStop-1]
org.apache.openejb.assembler.classic.Assembler.startEjbs Started
Ejb(deployment-id=Y, ejb-name=Y, container=MessageDrivenContainer)
16-Jun-2020 10:34:19.377 INFO [localhost-startStop-1]
org.apache.openejb.assembler.classic.Assembler.startEjbs Started
Ejb(deployment-id=Z, ejb-name=Z, container=MessageDrivenContainer)
16-Jun-2020 10:34:19.380 INFO [localhost-startStop-1]
org.apache.openejb.assembler.classic.Assembler.createApplication Deployed
Application(path=C:\localserver\webapps\ROOT)
16-Jun-2020 10:34:19.410 WARNING [JmsResourceAdapter-worker- - 2]
org.apache.activemq.broker.BrokerService.checkMemorySystemUsageLimits Memory
Usage for the Broker (1024mb) is more than the maximum available for the JVM:
981 mb - resetting to 70% of maximum available: 687 mb
16-Jun-2020 10:34:19.413 INFO [JmsResourceAdapter-worker- - 2]
org.apache.activemq.broker.BrokerService.doStartPersistenceAdapter Using
Persistence Adapter:
KahaDBPersistenceAdapter[C:\localserver\conf\activemq-data\broker\KahaDB]
16-Jun-2020 10:34:19.437 INFO [JMX connector]
org.apache.activemq.broker.jmx.ManagementContext$1.run JMX consoles can connect
to service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi{code}
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136214#comment-17136214
]
Frans commented on TOMEE-2294:
--
[~jgallimore] I've had a go with tomee-8. Historically I've been using the
apache-catalina-remote-X.jar jmx connectors which have been merged in to
catalina.jar, and changed so that very specific settings need to be set on
jmx.a and jmx.p before JMX will work. I've managed to get this working locally,
but it didn't help with the 1099 issue.
[~rzo1] switching back to tomee 7.1.2 (and now 7.1.3), I found that if I took
the project and stripped it back to the absolute bare minimum of function, 1099
did not appear.
However, as noted in the initial bug report, if I inspect the jar, find the
version of ActiveMQ being used, pull down activemq-all and use the different
settings, 1099 also does not appear, and the jmx settings configured in
JAVA_OPTS, only the secured port specified in JAVA_OPTS works.
I'm now trying to get the pared back example and add in sections of the code.
When something causes 1099 to trigger, I'll pare that part back until it
disappears again. Hopefully I'll be able to report back what thing is causing
1099 to show up in the pared-back ActiveMQ jar.
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17105244#comment-17105244
]
Jonathan Gallimore commented on TOMEE-2294:
---
[~Henskens] could you test with this snapshot please?
https://repository.apache.org/content/groups/snapshots/org/apache/tomee/apache-tomee/8.0.2-SNAPSHOT/apache-tomee-8.0.2-20200512.041932-82-plus.tar.gz
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17104128#comment-17104128
]
Richard Zowalla commented on TOMEE-2294:
Can you provide a minimal example to reproduce the issue?
Anything that might help us reproduce the issue from scratch with minimal
config.
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17102349#comment-17102349
]
Richard Zowalla commented on TOMEE-2294:
I remember, that the openejb.xml is used für OpenEJB standalone, while in
TomEE it is called tomee.xml found in the conf directory of the TomEE
(according to a blog post by Romain).
So I would give it a try with tomee.xml but [~jgallimore] might correct me :)
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17102316#comment-17102316
]
Frans commented on TOMEE-2294:
--
When I had the authenticated JMX port configured before in tomee 7.1.1, it was
working as intended, but the 1099 port was also sitting there allowing
unauthenticated access.
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17102312#comment-17102312
]
Frans commented on TOMEE-2294:
--
[~jgallimore] I want to:
# Disable ActiveMQ's unsecured JMX
# Enable a JMX port with authentication
# Poll that with credentials that monitor my application
I'm using openejb.xml rather than tomee.xml as it was part of the tutorial I
followed to get TomEE working initially. If you think switching the name of the
config file over will help, I'll give it a shot.
As noted above, changing the version of ActiveMQ to activemq-all and using the
broker configuration it uses.
Having broker:(vm://broker)?useJmx=false or broker:(vm://broker) both result in
the open port.
The line used to run TomEE is:
{code:java}
@rem this is the TomEE dir
set CATALINA_HOME=XXset CLASSPATH=%JAVA_HOME%\lib\tools.jar
set CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\bootstrap.jar
set CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\tomcat-juli.jarset
MAINCLASS=org.apache.catalina.startup.Bootstrapset JAVA_OPTS=-Duser.country=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Duser.language=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Duser.timezone=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:-OmitStackTraceInFastThrow
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:+HeapDumpOnOutOfMemoryError
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:MaxMetaspaceSize=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:+PrintGCDetails
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:+PrintGCDateStamps
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:+UseGCLogFileRotation
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:NumberOfGCLogFiles=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:GCLogFileSize=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Xloggc:XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Dcatalina.base="%CATALINA_BASE%"
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Dcatalina.home="%CATALINA_HOME%"
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djava.endorsed.dirs="%JAVA_ENDORSED_DIRS%"
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djava.io.tmpdir="%CATALINA_TMPDIR%"
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Dfile.encoding=XX
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djava.net.preferIPv4Stack=XX
set
JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djavax.xml.stream.XMLInputFactory=com.sun.xml.internal.stream.XMLInputFactoryImpl
set
JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djavax.xml.stream.XMLOutputFactory=com.sun.xml.internal.stream.XMLOutputFactoryImpl
set
JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djavax.xml.parsers.DocumentBuilderFactory=com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl
set
JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djavax.xml.parsers.SAXParserFactory=com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Xbootclasspath/p:XX
set
JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djdk.tls.client.protocols=%TLS_CLIENT_PROTOCOLS%
set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djava.util.logging.config.file=XX
set CMDLINE=%JAVA_VM% %MEM_ARGS% %JAVA_OPTS% %* -classpath "%CLASSPATH%"
%MAINCLASS% start
"%JAVA_HOME%\bin\java" %CMDLINE%{code}
When I can get rid of the 1099 port, I'll need to add in the JMX parameters
again, or configure them elsewhere.
server.xml contains
{code:java}
{code}
Both of these ports are configured, and none of them are 1099
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101507#comment-17101507
]
Jonathan Gallimore commented on TOMEE-2294:
---
All this being said, its completely reasonable that you'd want to turn on JMX
for ActiveMQ, but not open the port. You may wish to configure the JMX port
using JVM arguments, and you may just wish to connect locally (directly to the
process, and not via a port).
We should allow JMX to be enabled, and not open the port.
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101501#comment-17101501
]
Jonathan Gallimore commented on TOMEE-2294:
---
I did a check here, and I'm not seeing port 1099 open. I'll trace through where
we might call org.apache.activemq.broker.jmx.ManagementContext in TomEE, and
see if there's anything I'm missing.
Setting ?useJmx=true (as opposed to useJmx=false)does open the port.
It would be useful to get the command line you're using to run TomEE (I usually
do 'ps -ef | grep Bootstrap' to get this). If there's anything sensitive on
there, please remove it before posting.
It would also be useful know if you're using an out of the box zip/.tar.gz, or
if you're deploying openejb.war in Tomcat (or something else). Anything that
might help us reproduce the issue from scratch with minimal config.
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.3
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17099646#comment-17099646
]
Richard Zowalla commented on TOMEE-2294:
Hi [~Henskens]
I followed my procedere described above and no 1099 is open. Why did you use
the openejb.xml?
You could try to deactivate it in the tomee.xml or perhaps in the
resources.xml of your application
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.2
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17099482#comment-17099482
]
Frans commented on TOMEE-2294:
--
[~rzo1] I've just tried updating to TomEE 8.0.1, and the issue persists.
In openejb.xml:
{code:java}
BrokerXmlConfig = broker:(vm://broker)?useJmx=false
ServerUrl = vm://broker
{code}
Then, in the tomcat.log on startup:
{code:java}
20005-May-2020 11:49:12.913 INFO [JMX connector]
org.apache.activemq.broker.jmx.ManagementContext$1.run JMX consoles can connect
to service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi{code}
I checked this in JConsole, and it is still there, an unauthenticated open JMX
port.
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.2
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16927292#comment-16927292
]
Richard Zowalla commented on TOMEE-2294:
Can you verifiy, that it works for you in M3 or 7.1.1 ?
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.0-Final
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16927219#comment-16927219
]
Frans commented on TOMEE-2294:
--
I believe I checked this in TomEE 7.1.0
Glad to know it's fixed in the upcoming release! Thanks!
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.0-Final
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[
https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16925973#comment-16925973
]
Richard Zowalla commented on TOMEE-2294:
Hi,
I was trying to reproduce this issue.
What I did:
1. Fetched TomEE Plume 8.0.0-M3
2. Configured tomee.xml as follows
{code:java}
BrokerXmlConfig = broker:(vm://broker)
ServerUrl = vm://broker
ResourceAdapter = MyJmsResourceAdapter
ResourceAdapter = MyJmsResourceAdapter
{code}
3. Startup the TomEE -> JMX connection via 1099 is possible as described in
the issue.
4. Shutdown TomEE and change tomee.xml to
{code:java}
BrokerXmlConfig = broker:(vm://broker)?useJmx=false
ServerUrl = vm://broker
ResourceAdapter = MyJmsResourceAdapter
ResourceAdapter = MyJmsResourceAdapter
{code}
5. Startup Tomee and check open ports. No 1099 appears.
I used the config provided here
https://tomee.apache.org/latest/docs/jms-resources-and-mdb-container.html for
testing purpose.
Did you check this behaviour with TomEE 8.0.0-M3 ?
> Can't disable unauthenticated JMX on 1099
> -
>
> Key: TOMEE-2294
> URL: https://issues.apache.org/jira/browse/TOMEE-2294
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
>Reporter: Frans
>Priority: Major
> Fix For: 8.0.0-Final
>
>
> ActiveMQ comes bundled with a JMX host that is default on unauthenticated on
> port 1099.
> {code:java}
>
> BrokerXmlConfig = broker:(vm://broker)?useJmx=false
> ServerUrl = vm://broker
> {code}
> Tomee's resource configuration doesn't allow this to be disabled. The above
> doesn't work.
> This can be disabled by inspecting an activemq jar's manifest, pulling down
> the same version of activemq-all, and putting that in the tomee/lib
> directory, at which point this works:
> {code:java}
>
> BrokerXmlConfig = xbean:file:activemq.xml
> ServerUrl = vm://broker
>
> {code}
> {code:java}
> http://activemq.apache.org/schema/core;
> useJmx="false"
> brokerName="broker"
> useShutdownHook="false"
> persistent="true"
> start="true"
> schedulerSupport="false"
> enableStatistics="false"
> offlineDurableSubscriberTimeout="25920"
> offlineDurableSubscriberTaskSchedule="360">
> {code}
> However, convincing the guy hosting the server to inspect JAR manifests, pull
> down specific jars, and maintain a second configuration file seems like a lot
> of effort to go to just to have the ability to disable unauthenticated access
> to every MBean in the VM
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
