3

I don't want to bother with SSL and passwords each time, but still don't want my program's JMX functionality reachable by others on the LAN.

I populated my ~/.java.policy thus:

grant principal javax.management.remote.JMXPrincipal "*" {
    permission java.net.SocketPermission "127.0.0.1", "accept";
    permission java.net.SocketPermission "my.lan.ip.addr", "accept";
    permission java.net.SocketPermission "another.lan.ip.addr", "accept";
    permission java.net.SocketPermission "*", "resolve";
}

Unfortunately, this does not seem to have an effect -- when the program is started with:

  • -Djava.security.manager
  • -Dcom.sun.management.jmxremote.ssl=false
  • -Dcom.sun.management.jmxremote.authenticate=false
  • -Dcom.sun.management.jmxremote
  • -Dcom.sun.management.jmxremote.port=1234

its JMX functionality remains accessible from anywhere, not just from the few IPs listed.

How to do it correctly? Thank you!

Mikhail T.
  • 3,043
  • 3
  • 29
  • 46
  • Have you considered just using an OS level firewall? (I.e. not using java) – Atmas Aug 26 '21 at 13:56
  • I have, but that requires `root`-privileges, which -- in our setup -- requires coordination with too many people to be feasible :( – Mikhail T. Sep 03 '21 at 15:48
  • do you know (for sure) that the security manager is using your policy file? Have you tried using `-Djava.security.policy=` to tell the security manager which policy file to use? – Stephen C Aug 08 '23 at 02:30
  • Maybe there are other useful clues here: https://docs.oracle.com/javadb/10.10.1.2/adminguide/radminjmxenablepwdssl.html – Stephen C Aug 08 '23 at 02:34
  • No, [that article](https://docs.oracle.com/javadb/10.10.1.2/adminguide/radminjmxenablepwdssl.html) is about authenticating by username/password -- I am looking for means to allow passwordless access to JMX, but only from a (small) group of IP-addresses. – Mikhail T. Aug 08 '23 at 12:39
  • The `${user.home}/.java.policy`, if available, is always loaded after the `${java.home}/lib/security/java.policy`, according to [Java documentation](https://docs.oracle.com/javase/tutorial/security/tour2/step4.html). – Mikhail T. Aug 09 '23 at 17:16
  • @MikhailT. The policy file is probably ignored altogether due to `com.sun.management.jmxremote.authenticate=false`. At least dummy credentials like `guest:guest` should be used and set that property to true. – LMC Aug 14 '23 at 21:20

1 Answers1

1

I think this is not Possible.

The JMXPrincipal, the source code of e.g. OpenJDK JMX classes show that you always require a user/role a wildcard does not imply that you don't need a user/ authentication. Also all other classes (in the JMX Package) don't instantiate a Socket which uses the java.net.SocketPermission class. The javax.management.remote.rmi.RMIConnectorServer which is the only class which extends JMXConnectorServer and which is instantiated after the VM command line parameters are read uses the SocketPermission, via the LoaderHandler. Also looking at the policy examples from the OpenJDK there there you can either restrict JMX access to a user/role or you can restrict the general access the JVM via permission java.net.SocketPermission

update one day later

after thinking a while about it maybe using only SockePermission may work. If you look into the code you can specify port ranges. Unfortunately it is not possible to specify a network address with its mask, but you could in general allow all IP's access to all port except the JMX port and afterwards add permissions for your IP. This also requires that you start you java process with

-Dcom.sun.management.jmxremote.port=9010
-Dcom.sun.management.jmxremote.rmi.port=9010

and then the permission would look like this

grant {
    permission java.net.SocketPermission "*:1-9009", "listen,resolve,connect,accept";
    permission java.net.SocketPermission "*:9011-65535", "listen,resolve,connect,accept";
    permission java.net.SocketPermission "127.0.0.1:9010", "accept";
    permission java.net.SocketPermission "my.lan.ip.addr:9010", "accept";
    permission java.net.SocketPermission "another.lan.ip.addr:9010", "accept";
}
Westranger
  • 1,308
  • 19
  • 29