Machine: freshly installed Ubuntu 8.10 server + java 6 + tomcat 6 from the distro.

What is the best way to enable jmx in this case?

Here is the stacktrace:

SEVERE: Servlet /java-monitor threw load() exception
java.security.AccessControlException: access denied (javax.management.MBeanServerPermission createMBeanServer)
at java.security.AccessControlContext.checkPermission (AccessControlContext.java:323)
at java.security.AccessController.checkPermission(Acc essController.java:546)
at java.lang.SecurityManager.checkPermission(Security Manager.java:532)
at java.lang.management.ManagementFactory.getPlatform MBeanServer(ManagementFactory.java:500)
at com.javamonitor.JmxHelper.register(JmxHelper.java: 100)
at com.javamonitor.JmxHelper.registerCoolBeans(JmxHel per.java:265)
at com.javamonitor.CollectorServlet.init(CollectorSer vlet.java:31)
at javax.servlet.GenericServlet.init(GenericServlet.j ava:212)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.security.SecurityUtil$1.run(Se curityUtil.java:244)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject .java:517)
at org.apache.catalina.security.SecurityUtil.execute( SecurityUtil.java:276)
at org.apache.catalina.security.SecurityUtil.doAsPriv ilege(SecurityUtil.java:162)
at org.apache.catalina.security.SecurityUtil.doAsPriv ilege(SecurityUtil.java:115)
at org.apache.catalina.core.StandardWrapper.loadServl et(StandardWrapper.java:1166)
at org.apache.catalina.core.StandardWrapper.load(Stan dardWrapper.java:992)
at org.apache.catalina.core.StandardContext.loadOnSta rtup(StandardContext.java:4058)
at org.apache.catalina.core.StandardContext.start(Sta ndardContext.java:4371)
at org.apache.catalina.core.ContainerBase.addChildInt ernal(ContainerBase.java:791)
at org.apache.catalina.core.ContainerBase.access$000( ContainerBase.java:123)
at org.apache.catalina.core.ContainerBase$PrivilegedA ddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(Co ntainerBase.java:769)
at org.apache.catalina.core.StandardHost.addChild(Sta ndardHost.java:525)
at org.apache.catalina.startup.HostConfig.deployWAR(H ostConfig.java:830)
at org.apache.catalina.startup.HostConfig.deployApps( HostConfig.java:515)
at org.apache.catalina.startup.HostConfig.check(HostC onfig.java:1231)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.tomcat.util.modeler.BaseModelMBean.invo ke(BaseModelMBean.java:297)
at com.sun.jmx.interceptor.DefaultMBeanServerIntercep tor.invoke(DefaultMBeanServerInterceptor.java:836)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxM BeanServer.java:761)
at org.apache.catalina.manager.ManagerServlet.check(M anagerServlet.java:1471)
at org.apache.catalina.manager.HTMLManagerServlet.doP ost(HTMLManagerServlet.java:243)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:717)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.security.SecurityUtil$1.run(Se curityUtil.java:244)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject .java:517)
at org.apache.catalina.security.SecurityUtil.execute( SecurityUtil.java:276)
at org.apache.catalina.security.SecurityUtil.doAsPriv ilege(SecurityUtil.java:162)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:283)
at org.apache.catalina.core.ApplicationFilterChain.ac cess$000(ApplicationFilterChain.java:56)
at org.apache.catalina.core.ApplicationFilterChain$1. run(ApplicationFilterChain.java:189)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:185)
at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:191)
at org.apache.catalina.authenticator.AuthenticatorBas e.invoke(AuthenticatorBase.java:525)
at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11Conn ectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run( JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)

Dear Kees,

Ah yes, the non-standard security manager settings in Debian/Ubuntu (http://java-monitor.com/forum/showthread.php?t=33).

The resolution is simple: the exception tells you what permissing is needed, so the most secure way grant the probe access to the JMX MBean server in your new Tomcat installation is to find the file that Tomcat loads its permissions from and add something to the effect of:


grant {
permission javax.management.MBeanServerPermission "createMBeanServer";
}


Note that I took the actual permission ("createMBeanServer") from the first line of your stack trace.

Once you restarted Tomcat you should either get another security exception, or get a running probe. As you deploy your own applications, you may well run into other security exceptions. You'll get these for all non-standard operations like, say, connecting to databases and reading files. Once you know the trick, incrementally opening up the security manager on an as-needed basis is actually quite easy to do.

Does this help?

Kees Jan

Next exception is:


SEVERE: Servlet /java-monitor threw load() exception
java.security.AccessControlException: access denied (javax.management.MBeanPermission com.javamonitor.mbeans.Server#-[com.javamonitor:type=Server] registerMBean)


Maybe I should ditch the repackaged tomcat :-(

Dear Kees,

You could do that, of course, or you could see it as a useful (if painful) way to learn to use the security manager. I honestly think it is one of the stronger points of using Java.

If you have the energy, you could try using a wildcard. Off the top of my head, something like:


grant {
permission * "createMBean, registerMBean";
}


or maybe:


grant {
permission "*" "createMBean, registerMBean";
}


Kees Jan

Have a look at the policy file syntax (http://java.sun.com/j2se/1.5.0/docs/guide/security/PolicyFiles.html).

Very true.
I promise you I will put in some extra effort ;-)

Dear Kees,

Well, if that's the case I'd love to have a copy of the relevant portions of your policy file once you're done. ;-)

Kees Jan

The probe is running!!

Here is the config:

// Enable java-monitor to do its job
grant {
permission javax.management.MBeanServerPermission "createMBeanServer";
permission javax.management.MBeanPermission "com.javamonitor.mbeans.*", "*";
permission javax.management.MBeanTrustPermission "register";
permission javax.management.MBeanServerPermission "findMBeanServer";
permission java.net.SocketPermission "java-monitor.com:80", "connect";
permission java.net.SocketPermission "java-monitor.com:80", "resolve";
};

Kees Jan,

The probe is running now but apparently not sending data. There are no errors in the logs. Should I add more SocketPermissions?

Dear Kees,

Yes, it seems you need to open up the security manager a little more.

If you click on the host in the host list, you'll get to the host's monitor page. There it reads that your host has not sent any data yet. On that page there is a link named "see all measurements". Click on that too.

You'll get to the page that shows all the individual data points that are coming in. On that page, you'll see some more exceptions, on top of the ones you had in your Tomcat logs earlier.

javax.management.RuntimeMBeanException: javax.management.RuntimeMBeanException: java.security.AccessControlException: access denied (java.lang.management.ManagementPermission monitor)

Click on an exception to get the stack trace.


avax.management.RuntimeMBeanException: javax.management.RuntimeMBeanException: java.security.AccessControlException: access denied (java.lang.management.ManagementPermission monitor)
at com.sun.jmx.interceptor.DefaultMBeanServerIntercep tor.rethrow(DefaultMBeanServerInterceptor.java:856 )
at com.sun.jmx.interceptor.DefaultMBeanServerIntercep tor.rethrowMaybeMBeanException(DefaultMBeanServerI nterceptor.java:869)
at com.sun.jmx.interceptor.DefaultMBeanServerIntercep tor.getAttribute(DefaultMBeanServerInterceptor.jav a:670)
at com.sun.jmx.mbeanserver.JmxMBeanServer.getAttribut e(JmxMBeanServer.java:638)
at com.javamonitor.JmxHelper.query(JmxHelper.java:208 )
at com.javamonitor.Collector.queryItems(Collector.jav a:114)
at com.javamonitor.Collector.push(Collector.java:57)
at com.javamonitor.CollectorServlet$CollectorDriver.r un(CollectorServlet.java:74)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.security.AccessControlException: access denied (java.lang.management.ManagementPermission monitor)
at ja


More things to add to your policy file I'm afraid.

Kees Jan

Kees Jan,

I added
permission java.lang.management.ManagementPermission "monitor";
The exceptions are gone now. Unfortunately I still only see the categories "com.javamonitor:type=Server" and "com.javamonitor:type=Threading" and no graphs. Guess I need to grant some more stuff but do not have a clue what kind.

I admit, I am cheating now. But the probe works!


grant codeBase "file:${catalina.base}/webapps/java-monitor/-" {
permission java.security.AllPermission;
};


My server's fate is in your hands ;-)

Dear Kees,

That's a good cheat.

If you want to pursue this further, you could add -Djava.security.debug=policy,access to your JAVA_OPTS when starting Tomcat. Then grep the logs for denied security manager checks. See more here (http://oreilly.com/catalog/javasec2/chapter/ch01.html).

Your logs fill up quickly with this option, so don't go into production with it. :-)

Kees Jan

PS. Don't worry, I'll take good care of your server. ;-)