将JMX限制为localhost [英] Restricting JMX to localhost

问题描述

虽然出现了一些有关如何通过各种防火墙和隧道方案公开JMX的文档，但我还是想反其道而行之.我想确保仅本地计算机可以访问JMX.不幸的是，似乎开箱即用"的管理选项不允许将端口限制为本地接口，netstat显示它们正在侦听任何/所有接口.

While there appears to some documentation on how to expose JMX through various firewall and tunneling schemes, I sort of want the opposite. I want to ensure that JMX is only accessible to local machine. Unfortunately it appears that the "out of the box" management options do not allow restricting the ports to a local interface and netstat shows them listening on any/all interfaces.

http://java.sun. com/javase/6/docs/technotes/guides/management/agent.html#gdevf

我必须承认，我对JMX的间接层，RMI注册表，连接器，适配器等感到困惑.

I have to admit I am bewildered by the layers of indirection in JMX, the RMI registry, connectors, adapters, etc.

我想先将其打开，然后通过SSH进行隧道传输，而不是将其公开，然后必须执行繁琐且多余的用户管理和安全配置.能够使用内置的RMI注册表，而不必运行外部注册表，将是很好的选择.

I would like to just turn it on and then tunnel through SSH as opposed to exposing it to the world and then having to perform arduous and superfluous user management and security configuration. It would be nice to be able to use a built in RMI registry and not have to run an external one.

推荐答案

如果您是从本地主机访问的，则可以在这种情况下执行JConsole和JVisualVM的操作，即使用Attach API查找服务器的仅本地地址(如果使用-Dcom.sun.management.jmxremote而不是-Dcom.sun.management.jmxremote.port = N运行，则将获得该地址)并连接到该地址.在另一个答案中，Thraidh说，即使在这种情况下，也打开了可远程访问的端口，这在早期版本中是正确的，但几年来却没有.

If you're accessing from the local host then it is possible to do what JConsole and JVisualVM do in this case, which is to use the Attach API to find the local-only address of the server (what you get if you run with -Dcom.sun.management.jmxremote but not -Dcom.sun.management.jmxremote.port=N) and connect to that. In another answer, Thraidh says that a remotely-accessible port is opened even in this case, which was true in earlier versions but has not been so for a couple of years.

弗雷德里克(Fredrik)的解决方案行之有效，但过大了.您只需要定义一个RMIServerSocketFactory，而不是RMISocketFactory(定义了客户端和服务器).这样就无需专门配置客户端. http://vafer.org/blog/20061010091658 上的代码对我来说是正确的.

Fredrik's solution works but is overkill. You only need to define an RMIServerSocketFactory, not an RMISocketFactory (which defines both client and server). This eliminates the need to configure the client specially. The code at http://vafer.org/blog/20061010091658 looks correct to me.

使用-Dcom.sun.management.jmxremote之类的命令行属性构造的即用型"管理只能带您走很远，然后才需要开始使用JMX API本身进行编程.我们通常不愿意将现成的管理演变成一个完整的并行API，这就是为什么这样的问题无法解决的原因.我们说明了如何从一个过渡到另一个.这里.

The "out-of-the-box" management constructed with command-line properties like -Dcom.sun.management.jmxremote can only take you so far before you need to start programming with the JMX API itself. We've generally been reluctant to have the out-of-the-box management evolve into a complete parallel API, which is why there are problems like this one that are out of its reach. We explain how to go from one to the other here.

ÉamonnMcManus，JMX规范负责人

Éamonn McManus, JMX Spec Lead

这篇关于将JMX限制为localhost的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！