how to set authentication credentials for JMX in spring boot?

Question

I have enabled JMX in my spring boot application. I am able to set/get properties on using Jconsole. I want to add authentication (username/password) for connecting to the MBeanServer. I prefer annotation based if possible.

Here is my JMXBean.

@ManagedResource(objectName = "Examples:type=JMX,name=Resource")
public class Resource {
    List<String> items = new ArrayList<>();

    @ManagedAttribute
    public String getLastItem() {
        return items.get(getSize()-1);
    }

    @ManagedAttribute
    public int getSize() {
        return items.size();
    }

    @ManagedOperation
    public void addItem(String item) {
        items.add(item);
    }

    @ManagedOperation
    public String getItem(int pos) {
        return items.get(pos);
    }

    @ManagedOperation
    public List<String> getItems() {
        return items;
    }


}

Currently I do not have any XML configuration.

I have the bean initialized in my configuration

@Configuration
@EnableAutoConfiguration
@ComponentScan
public class Application extends SpringBootServletInitializer {

    public static void main(final String[] args) {
        SpringApplication.run(Application.class, args);
    }

    @Override
    protected final SpringApplicationBuilder configure(final SpringApplicationBuilder application) {
        return application.sources(Application.class);
    }

    @Bean
    public Resource jmxResource() {
        return new Resource();
    }
}

no, I did not enable remote. I am looking out for configuration on how to do it. — brain storm, Jul 24 '15 at 21:57

hzpz · Accepted Answer · 2016-10-20T19:35:12.007

3

To enable remote JMX access, you need to start your Spring Boot application with the following JVM parameter:

-Dcom.sun.management.jmxremote.port=<port>

To configure file-based password authentication, add the following parameter:

-Dcom.sun.management.jmxremote.password.file=<file>

There are two predefined users: monitorRole and controlRole. By default, the former has only read access, the latter may also write (see $JRE_HOME/lib/management/jmxremote.access). Use jmxremote.password.template in $JRE_HOME/lib/management as a template for the password file and stick to those usernames. For example:

monitorRole <password>
controlRole <password>

Log in using either of those usernames and the password you specified.

Be advised that when using this method, passwords are stored in plain text and it is not recommended for production use. See the documentation on how to set up authentication using SSL client certificates or LDAP.

edited Oct 20 '16 at 19:35

answered Jul 24 '15 at 22:15

hzpz

7,536
1
38
44

what would be username? All I see in my template is `# monitorRole QED # controlRole R&D`. – brain storm Jul 25 '15 at 01:06
Don't let yourself be fooled by the "role" part, those are in fact the usernames. See my updated answer. – hzpz Jul 25 '15 at 09:23
thanks. can I replace "monitorRole" with a different userName – brain storm Jul 25 '15 at 21:50
Yes, you can. But then you would also have to grant access rights to that username via the `jmxremote.access` file. Don't make things complicated and just stick with the predefined usernames. – hzpz Jul 26 '15 at 09:16

how to set authentication credentials for JMX in spring boot?

1 Answers1