1###################################################################### 2# Default Access Control File for Remote JMX(TM) Monitoring 3###################################################################### 4# 5# Access control file for Remote JMX API access to monitoring. 6# This file defines the allowed access for different roles. The 7# password file (jmxremote.password by default) defines the roles and their 8# passwords. To be functional, a role must have an entry in 9# both the password and the access files. 10# 11# The default location of this file is $JRE/lib/management/jmxremote.access 12# You can specify an alternate location by specifying a property in 13# the management config file $JRE/lib/management/management.properties 14# (See that file for details) 15# 16# The file format for password and access files is syntactically the same 17# as the Properties file format. The syntax is described in the Javadoc 18# for java.util.Properties.load. 19# A typical access file has multiple lines, where each line is blank, 20# a comment (like this one), or an access control entry. 21# 22# An access control entry consists of a role name, and an 23# associated access level. The role name is any string that does not 24# itself contain spaces or tabs. It corresponds to an entry in the 25# password file (jmxremote.password). The access level is one of the 26# following: 27# "readonly" grants access to read attributes of MBeans. 28# For monitoring, this means that a remote client in this 29# role can read measurements but cannot perform any action 30# that changes the environment of the running program. 31# "readwrite" grants access to read and write attributes of MBeans, 32# to invoke operations on them, and optionally 33# to create or remove them. This access should be granted 34# only to trusted clients, since they can potentially 35# interfere with the smooth operation of a running program. 36# 37# The "readwrite" access level can optionally be followed by the "create" and/or 38# "unregister" keywords. The "unregister" keyword grants access to unregister 39# (delete) MBeans. The "create" keyword grants access to create MBeans of a 40# particular class or of any class matching a particular pattern. Access 41# should only be granted to create MBeans of known and trusted classes. 42# 43# For example, the following entry would grant readwrite access 44# to "controlRole", as well as access to create MBeans of the class 45# javax.management.monitor.CounterMonitor and to unregister any MBean: 46# controlRole readwrite \ 47# create javax.management.monitor.CounterMonitorMBean \ 48# unregister 49# or equivalently: 50# controlRole readwrite unregister create javax.management.monitor.CounterMBean 51# 52# The following entry would grant readwrite access as well as access to create 53# MBeans of any class in the packages javax.management.monitor and 54# javax.management.timer: 55# controlRole readwrite \ 56# create javax.management.monitor.*,javax.management.timer.* \ 57# unregister 58# 59# The \ character is defined in the Properties file syntax to allow continuation 60# lines as shown here. A * in a class pattern matches a sequence of characters 61# other than dot (.), so javax.management.monitor.* matches 62# javax.management.monitor.CounterMonitor but not 63# javax.management.monitor.foo.Bar. 64# 65# A given role should have at most one entry in this file. If a role 66# has no entry, it has no access. 67# If multiple entries are found for the same role name, then the last 68# access entry is used. 69# 70# 71# Default access control entries: 72# o The "monitorRole" role has readonly access. 73# o The "controlRole" role has readwrite access and can create the standard 74# Timer and Monitor MBeans defined by the JMX API. 75 76monitorRole readonly 77controlRole readwrite \ 78 create javax.management.monitor.*,javax.management.timer.* \ 79 unregister 80