How can I disable jconsole access?
2009. 1. 13. 11:07ㆍJava
아주 좋은 정보~
There are ways to achieve what you are asking for, but you need to be clear that you are not addressing a security problem. JConsole (and any other tool using the Attach API) can only attach to the same user's processes on the same machine. These are the same processes that the user can connect to using a debugger, and therefore do anything to. JConsole makes it easier to do certain things, but does not fundamentally change the security situation.
There is an RFE open to address this <http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6541693> but in the meantime here are two possible things you can do:
(1) Run your application with -XX:+DisableAttachMechanism. Like all -XX options, this one is unsupported, and could go away in a future version. It will also prevent you from running tools like jstack and jinfo on your application, which could be inconvenient.
(2) Unregister all the MBeans from the Platform MBean Server. (This idea is due to Daniel Lutoff.) Then you will still be able to connect with JConsole, but you won't see any information about the application. The code looks like this:
Regards,
?amonn McManus -- JMX Spec Lead -- http://weblogs.java.net/blog/emcmanus
There are ways to achieve what you are asking for, but you need to be clear that you are not addressing a security problem. JConsole (and any other tool using the Attach API) can only attach to the same user's processes on the same machine. These are the same processes that the user can connect to using a debugger, and therefore do anything to. JConsole makes it easier to do certain things, but does not fundamentally change the security situation.
There is an RFE open to address this <http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6541693> but in the meantime here are two possible things you can do:
(1) Run your application with -XX:+DisableAttachMechanism. Like all -XX options, this one is unsupported, and could go away in a future version. It will also prevent you from running tools like jstack and jinfo on your application, which could be inconvenient.
(2) Unregister all the MBeans from the Platform MBean Server. (This idea is due to Daniel Lutoff.) Then you will still be able to connect with JConsole, but you won't see any information about the application. The code looks like this:
MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
for (ObjectName name : mbs.queryNames(null, null)) {
if (!name.getDomain().equals("JMImplementation"))
mbs.unregisterMBean(name);
}
Regards,
?amonn McManus -- JMX Spec Lead -- http://weblogs.java.net/blog/emcmanus