We have a Spring Boot application with actuator. We're trying to disable remote JMX access, but somehow this is not working. We've tried the following settings:
In Tomcat startup options:
-Dcom.sun.management.jmxremote=false
-Dcom.sun.management.jmxremote.password.file=....../jmxremote.password
-Dcom.sun.management.jmxremote.registry.ssl=true
-Djava.security.manager
-Djava.security.policy=jmx.policy
-Djavax.net.ssl.keyStore=....jks
-Djavax.net.ssl.keyStorePassword=****
-Djavax.net.ssl.trustStore=.....jks
-Djavax.net.ssl.trustStorePassword=****
In application.properties:
spring.jmx.enabled=false
spring.datasource.jmx-enabled=false
endpoints.jmx.enabled=false
spring.jmx.server=localhost
However, we are still able to access JMX from a remote system. The only difference that the option spring.jmx.enabled makes is that Spring-specific MBeans are not available, but other MBeans are still available.
How can we disable remote access to JMX? Ideally we'd still like access when connecting from the local machine, but if necessary this might also be disabled.
ADDED build.gradle
buildscript {
ext {
springBootVersion = '1.5.16.RELEASE'
}
repositories {
mavenCentral()
}
dependencies {
classpath("org.springframework.boot:spring-boot-gradle-plugin:${springBootVersion}")
}
}
apply plugin: 'java'
apply plugin: 'war'
apply plugin: 'org.springframework.boot'
apply plugin: 'io.spring.dependency-management'
apply from: "../dependencies.gradle"
repositories {
mavenCentral()
}
bootRepackage {
enabled = false
}
sourceCompatibility = 1.8
targetCompatibility = 1.8
dependencies {
providedRuntime project(':....')
compile project(':...')
compile project(':...')
compile project(':...')
compile project(':...')
compile group: 'com.hazelcast', name: 'hazelcast', version: '3.12'
compile group: 'com.hazelcast', name: 'hazelcast-client', version: '3.12'
compile group: 'org.hibernate', name: 'hibernate-core', version: '5.2.11.Final'
compile group: 'org.aspectj', name: 'aspectjweaver', version: '1.9.2'
compile group: 'org.apache.poi', name: 'poi', version: '4.0.1'
compile group: 'org.apache.poi', name: 'poi-ooxml', version: '4.0.1'
compileOnly group: 'org.projectlombok', name: 'lombok', version: '1.18.2'
providedRuntime 'org.springframework.boot:spring-boot-starter-tomcat'
compile("org.springframework.boot:spring-boot-starter-web")
compile("org.springframework.boot:spring-boot-starter-actuator")
testCompile('org.springframework.boot:spring-boot-starter-test')
testCompile group: 'org.mockito', name: 'mockito-all', version: '1.9.5'
}
Had the exact same issue and solved it by using these settings:
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.local.only=true
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.port=1099
-Dcom.sun.management.jmxremote.host=localhost
-Djava.rmi.server.hostname=localhost
-Dcom.sun.management.jmxremote.password.file=<path to jmxremote.password>
-Dcom.sun.management.jmxremote.access.file=<path to jmxremote.access>
Please note that order and explicitly setting properties to their default values may be necessary even though it obviously shouldn't.