3 Replies Latest reply on Mar 11, 2005 7:51 AM by Ricardo Arguello

    how to set Tomcat context valve for jmx-console?

    Hany Bee Newbie

      How can I set the context valve for jmx-console? The goal is that, I want to let only certain IP addresses to access jmx-console, and not everyone.

      I want to do something like

      <Context path="/jmx-console" docBase="jmx-console.war">
       <Valve className="org.apache.catalina.valves.RemoteAddrValve"
       allow="192.168.10.10,192.168.10.15"/>
      </Context>
      


      But if I add this to Tomcat's server.xml file, nothing can be deployed, and Jboss throws a ton of error messages about failed deployment. Basically, almost everything under the deploy directory can't be deployed.

      How can I use the context valve in Tomcat to do that? Or is there a better way?

      Thanks


        • 1. Re: how to set Tomcat context valve for jmx-console?
          Luca Stancapiano Apprentice

          hi...
          in jboss is recomended to use jaas or securityInterceptors about security. With jaas you must write a module that allows or deny by IP address. With Interceptors you can to extend RemoteAddrValve class and transform it in a interceptor because i've seen that class uses a kind of reflection. After you've done it, modify in server_root/deploy/jmx-invoker-service.xml :


          <mbean code="org.jboss.invocation.jrmp.server.JRMPProxyFactory" name="jboss.jmx:type=adaptor,name=Invoker,protocol=jrmp,service=proxyFactory">
          -
           <!--
           Use the standard JRMPInvoker from conf/jboss-service.xxml
          -->
          <depends optional-attribute-name="InvokerName">jboss:service=invoker,type=jrmp</depends>
          -
           <!--
           The target MBean is the InvokerAdaptorService configured below
          -->
          <depends optional-attribute-name="TargetName">jboss.jmx:type=adaptor,name=Invoker</depends>
          <!-- Where to bind the RMIAdaptor proxy -->
          <attribute name="JndiName">jmx/invoker/RMIAdaptor</attribute>
          <!-- The RMI compabitle MBeanServer interface -->
          -
           <attribute name="ExportedInterfaces">
          org.jboss.jmx.adaptor.rmi.RMIAdaptor,
           org.jboss.jmx.adaptor.rmi.RMIAdaptorExt
          
          </attribute>
          -
           <attribute name="ClientInterceptors">
          -
           <interceptors>
          <interceptor>org.jboss.proxy.ClientMethodInterceptor</interceptor>
           <interceptor allows="192.168.10.10,192.168.10.15">your.package.RemoteAddrValveInterceptor</interceptor><interceptor>org.jboss.proxy.SecurityInterceptor</interceptor>
          -
           <interceptor>
          org.jboss.jmx.connector.invoker.client.InvokerAdaptorClientInterceptor
          </interceptor>
          <interceptor>org.jboss.invocation.InvokerInterceptor</interceptor>
          </interceptors>
          </attribute>
          </mbean>



          so, you ,any time a jmx component is invoked throws jrmp, control the access by IP

          • 2. Re: how to set Tomcat context valve for jmx-console?
            Hany Bee Newbie

            Thanks for replying. I'm going to try that, if there's no simpler way.

            What I don't understand is, since all http requests are handled by Tomcat first, why would JBoss prevent Tomcat from using the valve correctly?

            This seems like a useless overhead to me.

            • 3. Re: how to set Tomcat context valve for jmx-console?
              Ricardo Arguello Newbie

              Don't edit the server.xml file. Create a WEB-INF/context.xml file instead, and define the valve there.

              Ricardo Arguello