1 ###################################################################### 2 # Default Access Control File for Remote JMX(TM) Monitoring 3 ###################################################################### 4 # 5 # Access control file for Remote JMX API access to monitoring. 6 # This file defines the allowed access for different roles. The 7 # password file (jmxremote.password by default) defines the roles and their 8 # passwords. To be functional, a role must have an entry in 9 # both the password and the access files. 10 # 11 # The default location of this file is $JRE/lib/management/jmxremote.access 12 # You can specify an alternate location by specifying a property in 13 # the management config file $JRE/lib/management/management.properties 14 # (See that file for details) 15 # 16 # The file format for password and access files is syntactically the same 17 # as the Properties file format. The syntax is described in the Javadoc 18 # for java.util.Properties.load. 19 # A typical access file has multiple lines, where each line is blank, 20 # a comment (like this one), or an access control entry. 21 # 22 # An access control entry consists of a role name, and an 23 # associated access level. The role name is any string that does not 24 # itself contain spaces or tabs. It corresponds to an entry in the 25 # password file (jmxremote.password). The access level is one of the 26 # following: 27 # "readonly" grants access to read attributes of MBeans. 28 # For monitoring, this means that a remote client in this 29 # role can read measurements but cannot perform any action 30 # that changes the environment of the running program. 31 # "readwrite" grants access to read and write attributes of MBeans, 32 # to invoke operations on them, and optionally 33 # to create or remove them. This access should be granted 34 # only to trusted clients, since they can potentially 35 # interfere with the smooth operation of a running program. 36 # 37 # The "readwrite" access level can optionally be followed by the "create" and/or 38 # "unregister" keywords. The "unregister" keyword grants access to unregister 39 # (delete) MBeans. The "create" keyword grants access to create MBeans of a 40 # particular class or of any class matching a particular pattern. Access 41 # should only be granted to create MBeans of known and trusted classes. 42 # 43 # For example, the following entry would grant readwrite access 44 # to "controlRole", as well as access to create MBeans of the class 45 # javax.management.monitor.CounterMonitor and to unregister any MBean: 46 # controlRole readwrite \ 47 # create javax.management.monitor.CounterMonitorMBean \ 48 # unregister 49 # or equivalently: 50 # controlRole readwrite unregister create javax.management.monitor.CounterMBean 51 # 52 # The following entry would grant readwrite access as well as access to create 53 # MBeans of any class in the packages javax.management.monitor and 54 # javax.management.timer: 55 # controlRole readwrite \ 56 # create javax.management.monitor.*,javax.management.timer.* \ 57 # unregister 58 # 59 # The \ character is defined in the Properties file syntax to allow continuation 60 # lines as shown here. A * in a class pattern matches a sequence of characters 61 # other than dot (.), so javax.management.monitor.* matches 62 # javax.management.monitor.CounterMonitor but not 63 # javax.management.monitor.foo.Bar. 64 # 65 # A given role should have at most one entry in this file. If a role 66 # has no entry, it has no access. 67 # If multiple entries are found for the same role name, then the last 68 # access entry is used. 69 # 70 # 71 # Default access control entries: 72 # o The "monitorRole" role has readonly access. 73 # o The "controlRole" role has readwrite access and can create the standard 74 # Timer and Monitor MBeans defined by the JMX API. 75 76 monitorRole readonly 77 controlRole readwrite \ 78 create javax.management.monitor.*,javax.management.timer.* \ 79 unregister