###################################################################### # Default Access Control File for Remote JMX(TM) Monitoring ###################################################################### # # Access control file for Remote JMX API access to monitoring. # This file defines the allowed access for different roles. The # password file (jmxremote.password by default) defines the roles and their # passwords. To be functional, a role must have an entry in # both the password and the access files. # # The default location of this file is $JRE/conf/management/jmxremote.access # You can specify an alternate location by specifying a property in # the management config file $JRE/conf/management/management.properties # (See that file for details) # # The file format for password and access files is syntactically the same # as the Properties file format. The syntax is described in the Javadoc # for java.util.Properties.load. # A typical access file has multiple lines, where each line is blank, # a comment (like this one), or an access control entry. # # An access control entry consists of a role name, and an # associated access level. The role name is any string that does not # itself contain spaces or tabs. It corresponds to an entry in the # password file (jmxremote.password). The access level is one of the # following: # "readonly" grants access to read attributes of MBeans. # For monitoring, this means that a remote client in this # role can read measurements but cannot perform any action # that changes the environment of the running program. # "readwrite" grants access to read and write attributes of MBeans, # to invoke operations on them, and optionally # to create or remove them. This access should be granted # only to trusted clients, since they can potentially # interfere with the smooth operation of a running program. # # The "readwrite" access level can optionally be followed by the "create" and/or # "unregister" keywords. The "unregister" keyword grants access to unregister # (delete) MBeans. The "create" keyword grants access to create MBeans of a # particular class or of any class matching a particular pattern. Access # should only be granted to create MBeans of known and trusted classes. # # For example, the following entry would grant readwrite access # to "controlRole", as well as access to create MBeans of the class # javax.management.monitor.CounterMonitor and to unregister any MBean: # controlRole readwrite \ # create javax.management.monitor.CounterMonitorMBean \ # unregister # or equivalently: # controlRole readwrite unregister create javax.management.monitor.CounterMBean # # The following entry would grant readwrite access as well as access to create # MBeans of any class in the packages javax.management.monitor and # javax.management.timer: # controlRole readwrite \ # create javax.management.monitor.*,javax.management.timer.* \ # unregister # # The \ character is defined in the Properties file syntax to allow continuation # lines as shown here. A * in a class pattern matches a sequence of characters # other than dot (.), so javax.management.monitor.* matches # javax.management.monitor.CounterMonitor but not # javax.management.monitor.foo.Bar. # # A given role should have at most one entry in this file. If a role # has no entry, it has no access. # If multiple entries are found for the same role name, then the last # access entry is used. # # # Default access control entries: # o The "monitorRole" role has readonly access. # o The "controlRole" role has readwrite access and can create the standard # Timer and Monitor MBeans defined by the JMX API. monitorRole readonly controlRole readwrite \ create javax.management.monitor.*,javax.management.timer.* \ unregister