Greetings, all,
Thank you for this wonderful mailing list.
Hi Konstantin,
That JSP worked like a charm :-) Thank you.
Hi Pid,
Good suggestion on using Groovy. I would like to stick with what's readily
available with Tomcat, if I can help it. I know security with unsecured
JMX is an issue. But if JMX is secured properly, I believe it is nothing
to shy away from for scripting.
Hi Christopher,
When you say, "You can use JMX internally for convenience, but not expose
the JMXProxyServlet at all.", what do you mean by that? This is what I
would like to achieve. Konstantin's JSP page retrieves the composite Heap
metrics (Tomcat 7.0.23) even with membership in "manager-jmx" role mandated
inside "manager/WEB-INF/web.xml". I do have to permit access though to
localhost inside the "Catalina/localhost/manager.xml" context file for the
JSP to work unauthenticated:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.0\.0\.1"/>
I have a feeling that's not what you mean. Could you please elaborate on
how not to expose the JMXProxyServlet externally? I was surprised that I
do have to permit localhost access inside "manager.xml" because I thought
all JSPs inside "webapps/manager/" should be automatically trusted and
permitted by the "manager" webapp by default.
Also, I plan to have the JSP page get me a bunch of JMX metrics.
Thanks!
-Shanti
On Sat, Sep 8, 2012 at 7:44 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Pid,
>
> On 9/8/12 4:57 AM, Pid * wrote:
> > On 7 Sep 2012, at 22:00, Shanti Suresh <sha...@umich.edu> wrote:
> >
> >> Hi Konstantin,
> >>
> >> True. JMX data can be sensitive.
> >
> >
> > If you're concerned about security do not use the JMXProxy Servlet
> > at all. Configure security on an exposed JMX port and then interact
> > with the JVM by connecting to the port. Scripts written in Groovy,
> > for example, make this pretty easy to do.
>
> Or just expose the exact data you want by providing a JSP or servlet
> that fetches that one piece of data and returns it. You can use JMX
> internally for convenience, but not expose the JMXProxyServlet at all.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBL2F0ACgkQ9CaO5/Lv0PAb0QCfeHhny/xTv4RlPdahzlXXlXs2
> Q+IAnAxFP8Ge0XRBk+aU0HFdYT+a1oCA
> =B9bC
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
