Restricting JMX to localhost

Question

While there appears to some documentation on how to expose JMX through various firewall and tunneling schemes, I sort of want the opposite. I want to ensure that JMX is only ac

Answer 1

If you're accessing from the local host then it is possible to do what JConsole and JVisualVM do in this case, which is to use the Attach API to find the local-only address of the server (what you get if you run with -Dcom.sun.management.jmxremote but not -Dcom.sun.management.jmxremote.port=N) and connect to that. In another answer, Thraidh says that a remotely-accessible port is opened even in this case, which was true in earlier versions but has not been so for a couple of years.

Fredrik's solution works but is overkill. You only need to define an RMIServerSocketFactory, not an RMISocketFactory (which defines both client and server). This eliminates the need to configure the client specially. The code at http://vafer.org/blog/20061010091658 looks correct to me.

The "out-of-the-box" management constructed with command-line properties like -Dcom.sun.management.jmxremote can only take you so far before you need to start programming with the JMX API itself. We've generally been reluctant to have the out-of-the-box management evolve into a complete parallel API, which is why there are problems like this one that are out of its reach. We explain how to go from one to the other here.

Éamonn McManus, JMX Spec Lead