[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136682#comment-17136682 ] Frans commented on TOMEE-2294: -- Just tried it again to confirm that I am not going crazy and the TomEE version I'm working in is actually 7.1.3. It definitely is Here it is with the system property commented out: 16-Jun-2020 22:17:22.916 INFO [localhost-startStop-1] org.apache.openejb.assembler.classic.Assembler.startEjbs Started Ejb(deployment-id=X, ejb-name=X, container=MessageDrivenContainer) 16-Jun-2020 22:17:22.919 INFO [localhost-startStop-1] org.apache.openejb.assembler.classic.Assembler.createApplication Deployed Application(path=C:localserver\webapps\ROOT) 16-Jun-2020 22:17:22.951 WARNING [JmsResourceAdapter-worker- - 2] org.apache.activemq.broker.BrokerService.checkMemorySystemUsageLimits Memory Usage for the Broker (1024mb) is more than the maximum available for the JVM: 981 mb - resetting to 70% of maximum available: 687 mb 16-Jun-2020 22:17:22.963 INFO [JmsResourceAdapter-worker- - 2] org.apache.activemq.broker.BrokerService.doStartPersistenceAdapter Using Persistence Adapter: KahaDBPersistenceAdapter[C:localserver\conf\activemq-data\broker\KahaDB] 16-Jun-2020 22:17:22.979 INFO [JMX connector] org.apache.activemq.broker.jmx.ManagementContext$1.run JMX consoles can connect to service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi 16-Jun-2020 22:17:23.003 INFO [JmsResourceAdapter-worker- - 2] org.apache.activemq.store.kahadb.MessageDatabase$Metadata.read KahaDB is version 6 Uncommenting the property, the issue went away again. 16-Jun-2020 22:19:27.312 INFO [localhost-startStop-1] org.apache.openejb.assembler.classic.Assembler.startEjbs Started Ejb(deployment-id=X, ejb-name=X, container=MessageDrivenContainer) 16-Jun-2020 22:19:27.314 INFO [localhost-startStop-1] org.apache.openejb.assembler.classic.Assembler.createApplication Deployed Application(path=C:\localserver\webapps\ROOT) 16-Jun-2020 22:19:27.350 WARNING [JmsResourceAdapter-worker- - 1] org.apache.activemq.broker.BrokerService.checkMemorySystemUsageLimits Memory Usage for the Broker (1024mb) is more than the maximum available for the JVM: 981 mb - resetting to 70% of maximum available: 687 mb 16-Jun-2020 22:19:27.359 INFO [JmsResourceAdapter-worker- - 1] org.apache.activemq.broker.BrokerService.doStartPersistenceAdapter Using Persistence Adapter: KahaDBPersistenceAdapter[C:\localserver\conf\activemq-data\broker\KahaDB] 16-Jun-2020 22:19:27.400 INFO [JmsResourceAdapter-worker- - 1] org.apache.activemq.store.kahadb.MessageDatabase$Metadata.read KahaDB is version 6 Setting the log level to FINEST and searching for that INFO text shows that createConnector is first called just after org.apache.activemq.broker.BrokerService.checkMemorySystemUsageLimits Decompiling that class and following back the references to cMSUL shows that the isUseJmx() property is checked just afterwards. I'm guessing this isn't set by ?useJmx= {code} @Override public void start() throws Exception { if (stopped.get() || !started.compareAndSet(false, true)) { // lets just ignore redundant start() calls // as its way too easy to not be completely sure if start() has been // called or not with the gazillion of different configuration // mechanisms // throw new IllegalStateException("Already started."); return; } setStartException(null); stopping.set(false); preShutdownHooksInvoked.set(false); startDate = new Date(); MDC.put("activemq.broker", brokerName); try { checkMemorySystemUsageLimits(); if (systemExitOnShutdown && useShutdownHook) { throw new ConfigurationException("'useShutdownHook' property cannot be be used with 'systemExitOnShutdown', please turn it off (useShutdownHook=false)"); } processHelperProperties(); if (isUseJmx()) { // need to remove MDC during starting JMX, as that would otherwise causes leaks, as spawned threads inheirt the MDC and // we cannot cleanup clear that during shutdown of the broker. MDC.remove("activemq.broker"); try { startManagementContext(); for (NetworkConnector connector : getNetworkConnectors()) { registerNetworkConnectorMBean(connector); } } finally { MDC.put("activemq.broker", brokerName); } } // in jvm master slave, lets not publish over existing broker till we get the lock final BrokerRegistry brokerRegistry = BrokerRegistry.getInstance(); if (brokerRegistry.lookup(getBrokerName()) == null) { brokerRegistry.bind(getBrokerName(), BrokerService.this); } startPersistenceAdapter(startAsync); startBroker(startAsync); brokerRegistry.bind(getBrokerName(), BrokerService.this); } catch (Exception e) { LOG.error("Failed to start Apache ActiveMQ ({}, {})", getBrokerName(), brokerId, e); try { if (!stopped.get()) { stop(); } } catch (Exception ex) { LOG.warn("Failed to stop broker after failure in start. This exception will be ignored.", ex); } throw e; } finally {
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136393#comment-17136393 ] Frans commented on TOMEE-2294: -- As an alternative fix that doesn't require going into the ActiveMQ code, right at the very start of initialising TomEE, you add in a method called setSensibleDefaults() with this in it: {code:java} if ( StringUtils.isBlank( System.getProperty( "org.apache.activemq.broker.jmx.createConnector" ) ) ) { System.setProperty( "org.apache.activemq.broker.jmx.createConnector", "false" ); } {code} > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.3 > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136381#comment-17136381 ] Frans commented on TOMEE-2294: -- [~jgallimore] I tried the update to 8.0.2 some weeks back, but we won't be going ahead with that until I can figure out a better way of configuring the JMX authentication. All of the above was tested and confirmed on tomee 7.1.3 > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.3 > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136377#comment-17136377 ] Richard Zowalla commented on TOMEE-2294: Thanks for the details and insights [~Henskens] I think the relevant part for this on TomEE side is located in [https://github.com/apache/tomee/blob/master/container/openejb-core/src/main/java/org/apache/openejb/resource/activemq/ActiveMQ5Factory.java] (respectivley in [https://github.com/apache/tomee/blob/master/container/openejb-core/src/test/java/org/apache/openejb/resource/activemq/ActiveMQ5FactoryTest.java]). [~jgallimore] has added a call "setCreateConnector(false)" per default. See also the related CVE: [https://nvd.nist.gov/vuln/detail/CVE-2020-11969] But we might need to parse the content of ?useJmx= instead and set this value inside the factory. The question is: * ?useJmx=false -> no unauthenticated JMX port on 1099 should be opened? Current impl does call "setCreateConnector(false)". * ?useJmx=true -> *what do we expect in this case?* Current impl -> no port is opened (see CVE) WDYT? > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.3 > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136378#comment-17136378 ] Jonathan Gallimore commented on TOMEE-2294: --- Could you verify any of TomEE 7.1.3, 7.0.8 or 8.0.2? I included a fix specifically for this issue. It sounds like you tried 7.1.3, and had some success there Could you also drop me an email directly on jgallimore at apache dot org? Thanks Jon > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.3 > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136316#comment-17136316 ] Frans commented on TOMEE-2294: -- So, I would recommend changing lines 66-74 to {code:java} static { String option = Boolean.FALSE.toString(); try { option = System.getProperty("org.apache.activemq.broker.jmx.createConnector", "false"); } catch (Exception ex) { }DEFAULT_CREATE_CONNECTOR = Boolean.valueOf(option); } {code} and for now, I'll add that system property and set it to false. And maybe add a call right at the start to setCreateConnector with the value from ?useJmx= I'm seeing 0 references to that method in my workspace. Cheers, Frans > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.3 > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136310#comment-17136310 ] Frans commented on TOMEE-2294: -- Okay! Finally some progress! Looking at the log line {code:java} org.apache.activemq.broker.jmx.ManagementContext$1.run JMX consoles can connect to service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi {code} I browsed through the tomee jars until I found org.apache.activemq.broker.jmx.ManagementContext in activemq-broker-5.15.10.jar I used FernFlower to decompile the class, and found where the line was being logged. Scrolling around the class, I found that createConnector was the variable used to toggle whether or not to enable the dodgy unauthenticated JMX port, which is by default on connectorPort = 1099 createConnector defaults to true, and is overridden by a system property: org.apache.activemq.broker.jmx.createConnector {code:java} /** * Default activemq domain */ public static final String DEFAULT_DOMAIN = "org.apache.activemq"; static { String option = Boolean.TRUE.toString(); try { option = System.getProperty("org.apache.activemq.broker.jmx.createConnector", "true"); } catch (Exception ex) { }DEFAULT_CREATE_CONNECTOR = Boolean.valueOf(option); }public static final boolean DEFAULT_CREATE_CONNECTOR; {code} So it appears that any call to ManagementContext.getMbeanServer() - of which there are many - tries to find an mbean server {code:java} public MBeanServer getMBeanServer() { if (this.beanServer == null) { this.beanServer = findMBeanServer(); } return beanServer; }{code} Which then creates one if it's not been initialised {code:java} protected synchronized MBeanServer findMBeanServer() { MBeanServer result = null;try { if (useMBeanServer) { if (findTigerMbeanServer) { result = findTigerMBeanServer(); } if (result == null) { // lets piggy back on another MBeanServer - we could be in an appserver! List list = MBeanServerFactory.findMBeanServer(null); if (list != null && list.size() > 0) { result = list.get(0); } } } if (result == null && createMBeanServer) { result = createMBeanServer(); } } catch (NoClassDefFoundError e) { LOG.error("Could not load MBeanServer", e); } catch (Throwable e) { // probably don't have access to system properties LOG.error("Failed to initialize MBeanServer", e); } return result; } {code} And no matter whether it's looking for a tiger mbean server {code:java} public MBeanServer findTigerMBeanServer() { String name = "java.lang.management.ManagementFactory"; Class type = loadClass(name, ManagementContext.class.getClassLoader()); if (type != null) { try { Method method = type.getMethod("getPlatformMBeanServer", new Class[0]); if (method != null) { Object answer = method.invoke(null, new Object[0]); if (answer instanceof MBeanServer) { if (createConnector) { createConnector((MBeanServer)answer); } return (MBeanServer)answer; } else { LOG.warn("Could not cast: {} into an MBeanServer. There must be some classloader strangeness in town", answer); } } else { LOG.warn("Method getPlatformMBeanServer() does not appear visible on type: {}", type.getName()); } } catch (Exception e) { LOG.warn("Failed to call getPlatformMBeanServer() due to: ", e); } } else { LOG.trace("Class not found: {} so probably running on Java 1.4", name); } return null; } {code} or creating a non-tiger mbean server {code:java} protected MBeanServer createMBeanServer() throws MalformedObjectNameException, IOException { MBeanServer mbeanServer = MBeanServerFactory.createMBeanServer(jmxDomainName); locallyCreateMBeanServer = true; if (createConnector) { createConnector(mbeanServer); } return mbeanServer; }{code} it still does a check on createConnector. And because the useJmx=false flag isn't propagated through to the setCreateConnector method before the first of these calls is made, and the hard coded default for creating this JMX port is true {code:java} public void setCreateConnector(boolean createConnector) { this.createConnector =
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136291#comment-17136291 ] Frans commented on TOMEE-2294: -- here are some relevant tomcat log lines {code:java} 16-Jun-2020 10:34:19.366 INFO [JmsResourceAdapter-worker- - 3] org.apache.activemq.ra.ActiveMQEndpointWorker$1.run Establishing connection to broker [vm://broker] 16-Jun-2020 10:34:19.377 INFO [localhost-startStop-1] org.apache.openejb.assembler.classic.Assembler.startEjbs Started Ejb(deployment-id=W, ejb-name=W, container=My Stateless Container) 16-Jun-2020 10:34:19.377 INFO [localhost-startStop-1] org.apache.openejb.assembler.classic.Assembler.startEjbs Started Ejb(deployment-id=X, ejb-name=X, container=MessageDrivenContainer) 16-Jun-2020 10:34:19.377 INFO [localhost-startStop-1] org.apache.openejb.assembler.classic.Assembler.startEjbs Started Ejb(deployment-id=Y, ejb-name=Y, container=MessageDrivenContainer) 16-Jun-2020 10:34:19.377 INFO [localhost-startStop-1] org.apache.openejb.assembler.classic.Assembler.startEjbs Started Ejb(deployment-id=Z, ejb-name=Z, container=MessageDrivenContainer) 16-Jun-2020 10:34:19.380 INFO [localhost-startStop-1] org.apache.openejb.assembler.classic.Assembler.createApplication Deployed Application(path=C:\localserver\webapps\ROOT) 16-Jun-2020 10:34:19.410 WARNING [JmsResourceAdapter-worker- - 2] org.apache.activemq.broker.BrokerService.checkMemorySystemUsageLimits Memory Usage for the Broker (1024mb) is more than the maximum available for the JVM: 981 mb - resetting to 70% of maximum available: 687 mb 16-Jun-2020 10:34:19.413 INFO [JmsResourceAdapter-worker- - 2] org.apache.activemq.broker.BrokerService.doStartPersistenceAdapter Using Persistence Adapter: KahaDBPersistenceAdapter[C:\localserver\conf\activemq-data\broker\KahaDB] 16-Jun-2020 10:34:19.437 INFO [JMX connector] org.apache.activemq.broker.jmx.ManagementContext$1.run JMX consoles can connect to service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi{code} > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.3 > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17136214#comment-17136214 ] Frans commented on TOMEE-2294: -- [~jgallimore] I've had a go with tomee-8. Historically I've been using the apache-catalina-remote-X.jar jmx connectors which have been merged in to catalina.jar, and changed so that very specific settings need to be set on jmx.a and jmx.p before JMX will work. I've managed to get this working locally, but it didn't help with the 1099 issue. [~rzo1] switching back to tomee 7.1.2 (and now 7.1.3), I found that if I took the project and stripped it back to the absolute bare minimum of function, 1099 did not appear. However, as noted in the initial bug report, if I inspect the jar, find the version of ActiveMQ being used, pull down activemq-all and use the different settings, 1099 also does not appear, and the jmx settings configured in JAVA_OPTS, only the secured port specified in JAVA_OPTS works. I'm now trying to get the pared back example and add in sections of the code. When something causes 1099 to trigger, I'll pare that part back until it disappears again. Hopefully I'll be able to report back what thing is causing 1099 to show up in the pared-back ActiveMQ jar. > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.3 > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17105244#comment-17105244 ] Jonathan Gallimore commented on TOMEE-2294: --- [~Henskens] could you test with this snapshot please? https://repository.apache.org/content/groups/snapshots/org/apache/tomee/apache-tomee/8.0.2-SNAPSHOT/apache-tomee-8.0.2-20200512.041932-82-plus.tar.gz > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.3 > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17104128#comment-17104128 ] Richard Zowalla commented on TOMEE-2294: Can you provide a minimal example to reproduce the issue? Anything that might help us reproduce the issue from scratch with minimal config. > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.3 > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17102349#comment-17102349 ] Richard Zowalla commented on TOMEE-2294: I remember, that the openejb.xml is used für OpenEJB standalone, while in TomEE it is called tomee.xml found in the conf directory of the TomEE (according to a blog post by Romain). So I would give it a try with tomee.xml but [~jgallimore] might correct me :) > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.3 > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17102316#comment-17102316 ] Frans commented on TOMEE-2294: -- When I had the authenticated JMX port configured before in tomee 7.1.1, it was working as intended, but the 1099 port was also sitting there allowing unauthenticated access. > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.3 > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17102312#comment-17102312 ] Frans commented on TOMEE-2294: -- [~jgallimore] I want to: # Disable ActiveMQ's unsecured JMX # Enable a JMX port with authentication # Poll that with credentials that monitor my application I'm using openejb.xml rather than tomee.xml as it was part of the tutorial I followed to get TomEE working initially. If you think switching the name of the config file over will help, I'll give it a shot. As noted above, changing the version of ActiveMQ to activemq-all and using the broker configuration it uses. Having broker:(vm://broker)?useJmx=false or broker:(vm://broker) both result in the open port. The line used to run TomEE is: {code:java} @rem this is the TomEE dir set CATALINA_HOME=XXset CLASSPATH=%JAVA_HOME%\lib\tools.jar set CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\bootstrap.jar set CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\tomcat-juli.jarset MAINCLASS=org.apache.catalina.startup.Bootstrapset JAVA_OPTS=-Duser.country=XX set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Duser.language=XX set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Duser.timezone=XX set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:-OmitStackTraceInFastThrow set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:+HeapDumpOnOutOfMemoryError set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:MaxMetaspaceSize=XX set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:+PrintGCDetails set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:+PrintGCDateStamps set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:+UseGCLogFileRotation set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:NumberOfGCLogFiles=XX set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-XX:GCLogFileSize=XX set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Xloggc:XX set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Dcatalina.base="%CATALINA_BASE%" set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Dcatalina.home="%CATALINA_HOME%" set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djava.endorsed.dirs="%JAVA_ENDORSED_DIRS%" set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djava.io.tmpdir="%CATALINA_TMPDIR%" set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Dfile.encoding=XX set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djava.net.preferIPv4Stack=XX set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djavax.xml.stream.XMLInputFactory=com.sun.xml.internal.stream.XMLInputFactoryImpl set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djavax.xml.stream.XMLOutputFactory=com.sun.xml.internal.stream.XMLOutputFactoryImpl set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djavax.xml.parsers.DocumentBuilderFactory=com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djavax.xml.parsers.SAXParserFactory=com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Xbootclasspath/p:XX set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djdk.tls.client.protocols=%TLS_CLIENT_PROTOCOLS% set JAVA_OPTS=%JAVA_OPTS%%SEPARATOR%-Djava.util.logging.config.file=XX set CMDLINE=%JAVA_VM% %MEM_ARGS% %JAVA_OPTS% %* -classpath "%CLASSPATH%" %MAINCLASS% start "%JAVA_HOME%\bin\java" %CMDLINE%{code} When I can get rid of the 1099 port, I'll need to add in the JMX parameters again, or configure them elsewhere. server.xml contains {code:java} {code} Both of these ports are configured, and none of them are 1099 > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.3 > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101507#comment-17101507 ] Jonathan Gallimore commented on TOMEE-2294: --- All this being said, its completely reasonable that you'd want to turn on JMX for ActiveMQ, but not open the port. You may wish to configure the JMX port using JVM arguments, and you may just wish to connect locally (directly to the process, and not via a port). We should allow JMX to be enabled, and not open the port. > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.3 > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101501#comment-17101501 ] Jonathan Gallimore commented on TOMEE-2294: --- I did a check here, and I'm not seeing port 1099 open. I'll trace through where we might call org.apache.activemq.broker.jmx.ManagementContext in TomEE, and see if there's anything I'm missing. Setting ?useJmx=true (as opposed to useJmx=false)does open the port. It would be useful to get the command line you're using to run TomEE (I usually do 'ps -ef | grep Bootstrap' to get this). If there's anything sensitive on there, please remove it before posting. It would also be useful know if you're using an out of the box zip/.tar.gz, or if you're deploying openejb.war in Tomcat (or something else). Anything that might help us reproduce the issue from scratch with minimal config. > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.3 > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17099646#comment-17099646 ] Richard Zowalla commented on TOMEE-2294: Hi [~Henskens] I followed my procedere described above and no 1099 is open. Why did you use the openejb.xml? You could try to deactivate it in the tomee.xml or perhaps in the resources.xml of your application > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.2 > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17099482#comment-17099482 ] Frans commented on TOMEE-2294: -- [~rzo1] I've just tried updating to TomEE 8.0.1, and the issue persists. In openejb.xml: {code:java} BrokerXmlConfig = broker:(vm://broker)?useJmx=false ServerUrl = vm://broker {code} Then, in the tomcat.log on startup: {code:java} 20005-May-2020 11:49:12.913 INFO [JMX connector] org.apache.activemq.broker.jmx.ManagementContext$1.run JMX consoles can connect to service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi{code} I checked this in JConsole, and it is still there, an unauthenticated open JMX port. > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.2 > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16927292#comment-16927292 ] Richard Zowalla commented on TOMEE-2294: Can you verifiy, that it works for you in M3 or 7.1.1 ? > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.0-Final > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16927219#comment-16927219 ] Frans commented on TOMEE-2294: -- I believe I checked this in TomEE 7.1.0 Glad to know it's fixed in the upcoming release! Thanks! > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.0-Final > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (TOMEE-2294) Can't disable unauthenticated JMX on 1099
[ https://issues.apache.org/jira/browse/TOMEE-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16925973#comment-16925973 ] Richard Zowalla commented on TOMEE-2294: Hi, I was trying to reproduce this issue. What I did: 1. Fetched TomEE Plume 8.0.0-M3 2. Configured tomee.xml as follows {code:java} BrokerXmlConfig = broker:(vm://broker) ServerUrl = vm://broker ResourceAdapter = MyJmsResourceAdapter ResourceAdapter = MyJmsResourceAdapter {code} 3. Startup the TomEE -> JMX connection via 1099 is possible as described in the issue. 4. Shutdown TomEE and change tomee.xml to {code:java} BrokerXmlConfig = broker:(vm://broker)?useJmx=false ServerUrl = vm://broker ResourceAdapter = MyJmsResourceAdapter ResourceAdapter = MyJmsResourceAdapter {code} 5. Startup Tomee and check open ports. No 1099 appears. I used the config provided here https://tomee.apache.org/latest/docs/jms-resources-and-mdb-container.html for testing purpose. Did you check this behaviour with TomEE 8.0.0-M3 ? > Can't disable unauthenticated JMX on 1099 > - > > Key: TOMEE-2294 > URL: https://issues.apache.org/jira/browse/TOMEE-2294 > Project: TomEE > Issue Type: Bug > Components: TomEE Core Server >Reporter: Frans >Priority: Major > Fix For: 8.0.0-Final > > > ActiveMQ comes bundled with a JMX host that is default on unauthenticated on > port 1099. > {code:java} > > BrokerXmlConfig = broker:(vm://broker)?useJmx=false > ServerUrl = vm://broker > {code} > Tomee's resource configuration doesn't allow this to be disabled. The above > doesn't work. > This can be disabled by inspecting an activemq jar's manifest, pulling down > the same version of activemq-all, and putting that in the tomee/lib > directory, at which point this works: > {code:java} > > BrokerXmlConfig = xbean:file:activemq.xml > ServerUrl = vm://broker > > {code} > {code:java} > http://activemq.apache.org/schema/core; > useJmx="false" > brokerName="broker" > useShutdownHook="false" > persistent="true" > start="true" > schedulerSupport="false" > enableStatistics="false" > offlineDurableSubscriberTimeout="25920" > offlineDurableSubscriberTaskSchedule="360"> > {code} > However, convincing the guy hosting the server to inspect JAR manifests, pull > down specific jars, and maintain a second configuration file seems like a lot > of effort to go to just to have the ability to disable unauthenticated access > to every MBean in the VM -- This message was sent by Atlassian Jira (v8.3.2#803003)