Created
April 22, 2019 11:57
-
-
Save rezamt/e4ad558b9e385883edbdc0d7eb8e99c3 to your computer and use it in GitHub Desktop.
jolokia-access.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!-- | |
Sample definitions for restricting the access to the Jolokia agent. Adapt this | |
file and copy it over to 'jolokia-access.xml', which get's evaluated during | |
runtime (if included in the war). | |
You can restrict the available methods in principale as well as the accessible | |
attributes and operations in detail. | |
--> | |
<restrict> | |
<!-- List of remote hosts which are allowed to access this agent. The name can be | |
given as IP or FQDN. If any of the given hosts matches, access will be allowed | |
(respecting further restrictions, though). If <remote> ... </remote> is given | |
without any host no access is allowed at all (probably not what you want). | |
You can also specify a subnetmask behind a numeric IP adress in which case any | |
host within the specified subnet is allowed to access the agent. The netmask can | |
be given either in CIDR format (e.g "/16") or as a full netmask (e.g. "/255.255.0.0") | |
--> | |
<!-- | |
<remote> | |
<host>127.0.0.1</host> | |
<host>localhost</host> | |
<host>10.0.0.0/16</host> | |
</remote> | |
--> | |
<!-- | |
List of allowed commands. | |
If this sections is present, it influence the following section. | |
For each command type present, the principle behaviour is allow this command for all | |
MBeans. To remove an MBean (attribute/operation), a <deny> section has to be added. | |
For each comman type missing, the command is disabled by default. For certain MBeans | |
it can be selectively by enabled by using an <allow> section below | |
Known types are: | |
* read | |
* write | |
* exec | |
* list | |
* version | |
* search | |
A missing <commands> section implies that every operation type is allowed (and can | |
be selectively controlled by a <deny> section) | |
--> | |
<commands> | |
<command>read</command> | |
<command>write</command> | |
<command>exec</command> | |
<command>list</command> | |
<command>version</command> | |
<command>search</command> | |
</commands> | |
<!-- | |
Restrict access only via the specified methods | |
Example which allows only POST requests: | |
<http> | |
<method>post</method> | |
</http> | |
--> | |
<!-- | |
Cross origin protection (CORS). | |
You can configure which cross origins are given allowance by the browser. | |
With strict-checking, the Origin: header can be also be checked on the server side, | |
which results in an error if it doesn't match any specified pattern. | |
--> | |
<!-- | |
Example which allows access from www.jolokia.org and the domain jmx4perl.org for CORS | |
but does also server side check to prevent CSRF attacks: | |
<cors> | |
<allow-origin>http://www.jolokia.org</allow-origin> | |
<allow-origin>*://*.jmx4perl.org</allow-origin> | |
<strict-checking/> | |
</cors> | |
--> | |
<!-- For each command type missing in a given <commands> section, for certain MBeans (which | |
can be a pattern, too) an command be allowed. Note that an <allow> entry e.g. for reading | |
an attribute of an certain MBean has no influence if reading is enabled globally anyway --> | |
<allow> | |
<!-- Allow for this MBean the attribute "HeapMemoryUsage" for reading and writing, the attribute | |
"Verbose" for reading only and the operation "gc". "read", "write" and/or "exec" has to be omitted | |
in the <commands> section above. | |
Example: -> | |
<mbean> | |
<name>java.lang:type=Memory</name> | |
<attribute>HeapMemoryUsage</attribute> | |
<attribute mode="read">Verbose</attribute> | |
<operation>gc</operation> | |
</mbean> | |
<mbean> | |
<name>java.lang:type=Threading</name> | |
<attribute>ThreadCount</attribute> | |
</mbean> | |
--> | |
<!-- Allow access to the j4p configuration operations, which are needed for proper check_jmx4perl | |
operation --> | |
<mbean> | |
<name>jolokia:type=Config</name> | |
<operation>*</operation> | |
<attribute>*</attribute> | |
</mbean> | |
<mbean> | |
<name>java.lang:type=Threading</name> | |
<operation>findDeadlockedThreads</operation> | |
</mbean> | |
</allow> | |
<!-- MBean access can be restricted by a <deny> section for commands enabled in a <commands> section | |
(or when the <commands> section is missing completely in which case all commands are allowed) | |
--> | |
<deny> | |
<mbean> | |
<!-- Exposes user/password of data source, so we forbid this one --> | |
<name>com.mchange.v2.c3p0:type=PooledDataSource,*</name> | |
<attribute>properties</attribute> | |
</mbean> | |
</deny> | |
</restrict> | |
<!-- | |
~ Copyright 2009-2014 Roland Huss | |
~ | |
~ Licensed under the Apache License, Version 2.0 (the "License"); | |
~ you may not use this file except in compliance with the License. | |
~ You may obtain a copy of the License at | |
~ | |
~ http://www.apache.org/licenses/LICENSE-2.0 | |
~ | |
~ Unless required by applicable law or agreed to in writing, software | |
~ distributed under the License is distributed on an "AS IS" BASIS, | |
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
~ See the License for the specific language governing permissions and | |
~ limitations under the License. | |
--> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment