TechQA.

org.apache.tomcat.jdbc.pool.jmx.JmxUtil.registerJmx Jmx registration failed

1.4k views Asked by At

I want to deploy deploy spring-boot application to external tomcat with security manager enabled. The Jndi is configured in tomcat with the name jdbc/abc .The tomcat asks for some permissions when I deploy, which I grant in the catalina.policy of the tomcat. I am presently getting some access denied message as shown below.

org.apache.tomcat.jdbc.pool.jmx.JmxUtil.registerJmx Jmx registration failed.
    java.security.AccessControlException: access denied ("javax.management.MBeanPermission" "org.apache.tomcat.jdbc.pool.PooledConnection#-[tomcat.jdbc:class=org.apache.tomcat.jdbc.pool.DataSource,connections=PooledConnection[0],name="jdbc/abc",type=ConnectionPool]" "registerMBean")

I then granted permission as

permission javax.management.MBeanPermission "org.apache.tomcat.jdbc.pool.PooledConnection#-[tomcat.jdbc:class=org.apache.tomcat.jdbc.pool.DataSource,connections=PooledConnection[0],name=jdbc/abc ,type=ConnectionPool]", "registerMBean";

then again the message repeats in the server output, I am not sure whether I granted this permission in the right way? Can anyone suggest me where I am doing wrong?

The server configuration for connection pool is as shown below:

<Resource name="jdbc/abc"
                  type="javax.sql.DataSource"
                  
                  url="url to the database"
                  username="MyName"
                  password="123" 
                  />
spring-boot tomcat permissions securitymanager
Original Q&A
1

There are 1 answers

0
Piotr P. Karwasz On BEST ANSWER

This should probably be considered a bug in the Tomcat JDBC library: a DataSource provided by the container should use AccessController.doPriviledged to perform JMX operations. It also should provide a set of permissions to regulate access from application code to the DataSource. However since the SecurityManager will probably be deprecated (cf. JEP 411) I doubt that this bug will ever be resolved.

Since Tomcat JDBC registers lots of JMX beans, I would give to all the org.tomcat.jdbc classes permission to register any MBean in the tomcat.jdbc domain:

permission javax.management.MBeanPermission "org.apache.tomcat.jdbc.*#-[tomcat.jdbc:*]", "registerMBean";

The MBeanPermission is granted using the:

permission javax.management.MBeanPermission "class name#member[object name]", "action"

(cf. Javadoc), where:

  • class name is the class performing the call. In your case all Tomcat JDBC classes,
  • member is the JMX attribute you want to access, doesn't apply for the registerMBean action,
  • object name is an ObjectName pattern (cf. Javadoc): in your case all names in the tomcat.jdbc domain,
  • action is the action to be performed: in your case Tomcat JDBC wants to register an MBean with the server.

You can also try more restrictive ObjectNames, e.g. tomcat.jdbc:name=jdbc/abc,* to restrict the permission to one datasource only.

Remark: If you don't intend to use JMX to monitor your datasource performance you can also use jmxEnabled="false" (cf. documentation) and all permission problems will go away.

Related Questions in SPRING-BOOT

Related Questions in TOMCAT

Related Questions in PERMISSIONS

Related Questions in SECURITYMANAGER

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions