spring-boot tomcat permissions securitymanager

org.apache.tomcat.jdbc.pool.jmx.JmxUtil.registerJmx Jmx registration failed

I want to deploy deploy spring-boot application to external tomcat with security manager enabled. The Jndi is configured in tomcat with the name jdbc/abc .The tomcat asks for some permissions when I deploy, which I grant in the catalina.policy of the tomcat. I am presently getting some access denied message as shown below.

org.apache.tomcat.jdbc.pool.jmx.JmxUtil.registerJmx Jmx registration failed.
    java.security.AccessControlException: access denied ("javax.management.MBeanPermission" "org.apache.tomcat.jdbc.pool.PooledConnection#-[tomcat.jdbc:class=org.apache.tomcat.jdbc.pool.DataSource,connections=PooledConnection[0],name="jdbc/abc",type=ConnectionPool]" "registerMBean")

I then granted permission as

permission javax.management.MBeanPermission "org.apache.tomcat.jdbc.pool.PooledConnection#-[tomcat.jdbc:class=org.apache.tomcat.jdbc.pool.DataSource,connections=PooledConnection[0],name=jdbc/abc ,type=ConnectionPool]", "registerMBean";

then again the message repeats in the server output, I am not sure whether I granted this permission in the right way? Can anyone suggest me where I am doing wrong?

The server configuration for connection pool is as shown below:

<Resource name="jdbc/abc"
                  type="javax.sql.DataSource"
                  
                  url="url to the database"
                  username="MyName"
                  password="123" 
                  />

Solution

This should probably be considered a bug in the Tomcat JDBC library: a DataSource provided by the container should use AccessController.doPriviledged to perform JMX operations. It also should provide a set of permissions to regulate access from application code to the DataSource. However since the SecurityManager will probably be deprecated (cf. JEP 411) I doubt that this bug will ever be resolved.

Since Tomcat JDBC registers lots of JMX beans, I would give to all the org.tomcat.jdbc classes permission to register any MBean in the tomcat.jdbc domain:

permission javax.management.MBeanPermission "org.apache.tomcat.jdbc.*#-[tomcat.jdbc:*]", "registerMBean";

The MBeanPermission is granted using the:

permission javax.management.MBeanPermission "class name#member[object name]", "action"

(cf. Javadoc), where:

class name is the class performing the call. In your case all Tomcat JDBC classes,
member is the JMX attribute you want to access, doesn't apply for the registerMBean action,
object name is an ObjectName pattern (cf. Javadoc): in your case all names in the tomcat.jdbc domain,
action is the action to be performed: in your case Tomcat JDBC wants to register an MBean with the server.

You can also try more restrictive ObjectNames, e.g. tomcat.jdbc:name=jdbc/abc,* to restrict the permission to one datasource only.

Remark: If you don't intend to use JMX to monitor your datasource performance you can also use jmxEnabled="false" (cf. documentation) and all permission problems will go away.