Skip to content

Instantly share code, notes, and snippets.

@rezamt
Created April 22, 2019 11:57
Show Gist options
  • Save rezamt/e4ad558b9e385883edbdc0d7eb8e99c3 to your computer and use it in GitHub Desktop.
Save rezamt/e4ad558b9e385883edbdc0d7eb8e99c3 to your computer and use it in GitHub Desktop.
jolokia-access.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Sample definitions for restricting the access to the Jolokia agent. Adapt this
file and copy it over to 'jolokia-access.xml', which get's evaluated during
runtime (if included in the war).
You can restrict the available methods in principale as well as the accessible
attributes and operations in detail.
-->
<restrict>
<!-- List of remote hosts which are allowed to access this agent. The name can be
given as IP or FQDN. If any of the given hosts matches, access will be allowed
(respecting further restrictions, though). If <remote> ... </remote> is given
without any host no access is allowed at all (probably not what you want).
You can also specify a subnetmask behind a numeric IP adress in which case any
host within the specified subnet is allowed to access the agent. The netmask can
be given either in CIDR format (e.g "/16") or as a full netmask (e.g. "/255.255.0.0")
-->
<!--
<remote>
<host>127.0.0.1</host>
<host>localhost</host>
<host>10.0.0.0/16</host>
</remote>
-->
<!--
List of allowed commands.
If this sections is present, it influence the following section.
For each command type present, the principle behaviour is allow this command for all
MBeans. To remove an MBean (attribute/operation), a <deny> section has to be added.
For each comman type missing, the command is disabled by default. For certain MBeans
it can be selectively by enabled by using an <allow> section below
Known types are:
* read
* write
* exec
* list
* version
* search
A missing <commands> section implies that every operation type is allowed (and can
be selectively controlled by a <deny> section)
-->
<commands>
<command>read</command>
<command>write</command>
<command>exec</command>
<command>list</command>
<command>version</command>
<command>search</command>
</commands>
<!--
Restrict access only via the specified methods
Example which allows only POST requests:
<http>
<method>post</method>
</http>
-->
<!--
Cross origin protection (CORS).
You can configure which cross origins are given allowance by the browser.
With strict-checking, the Origin: header can be also be checked on the server side,
which results in an error if it doesn't match any specified pattern.
-->
<!--
Example which allows access from www.jolokia.org and the domain jmx4perl.org for CORS
but does also server side check to prevent CSRF attacks:
<cors>
<allow-origin>http://www.jolokia.org</allow-origin>
<allow-origin>*://*.jmx4perl.org</allow-origin>
<strict-checking/>
</cors>
-->
<!-- For each command type missing in a given <commands> section, for certain MBeans (which
can be a pattern, too) an command be allowed. Note that an <allow> entry e.g. for reading
an attribute of an certain MBean has no influence if reading is enabled globally anyway -->
<allow>
<!-- Allow for this MBean the attribute "HeapMemoryUsage" for reading and writing, the attribute
"Verbose" for reading only and the operation "gc". "read", "write" and/or "exec" has to be omitted
in the <commands> section above.
Example: ->
<mbean>
<name>java.lang:type=Memory</name>
<attribute>HeapMemoryUsage</attribute>
<attribute mode="read">Verbose</attribute>
<operation>gc</operation>
</mbean>
<mbean>
<name>java.lang:type=Threading</name>
<attribute>ThreadCount</attribute>
</mbean>
-->
<!-- Allow access to the j4p configuration operations, which are needed for proper check_jmx4perl
operation -->
<mbean>
<name>jolokia:type=Config</name>
<operation>*</operation>
<attribute>*</attribute>
</mbean>
<mbean>
<name>java.lang:type=Threading</name>
<operation>findDeadlockedThreads</operation>
</mbean>
</allow>
<!-- MBean access can be restricted by a <deny> section for commands enabled in a <commands> section
(or when the <commands> section is missing completely in which case all commands are allowed)
-->
<deny>
<mbean>
<!-- Exposes user/password of data source, so we forbid this one -->
<name>com.mchange.v2.c3p0:type=PooledDataSource,*</name>
<attribute>properties</attribute>
</mbean>
</deny>
</restrict>
<!--
~ Copyright 2009-2014 Roland Huss
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment