Access JMX MBeans through Sirona webapp

Accessing JMX MBeans through a web port is a regular need. However it is not always trivial easy to find a solution. A simple way to do it is to use Sirona webapp which will activate JMX for the local machine by default and add some servlet security on top of it.

However SIrona default webapp doesn't work out of the box for that need because it was packaged to be used, either with a server monitoring or with its javaagent so some jars will be mssing from the webapp if you don't care about all other features. To ensure it works if you don't need other features we will repackage the webapp to include all jars.

To do it we will start from the webapp and we will unpack the .war in a folder called sirona. The war can be found on maven central at sirona-reporting-webapp-full.war. Then we need to add in WEB-INF/lib:

• sirona-api
• sirona-core
• sirona-aop
• sirona-web
• sirona-store-memory

Finally copy the sirona folder (or repackage it as a war) and deploy it into your container (Tomcat for instance) and restart your server. You can then access the sirona context (http://localhost:8080/sirona generally by default) and select the JMX tab. You should see the JMX tree and be able to browse the MBeans:

At that point you have a functional JMX access but it is not secured. Whereas it can be acceptable for a benchmark or dev environment, it will not be tolerated for a production deployment. To secure the application you have a few simple options:

• Add a tomcat valve implementing the security checks
• Configure Servlet security in the web.xml of the application

To keep it more portable we will use the last option. It mainly consists to insert in the WEB-INF/web.xml of our sirona folder the following content:

<security-constraint>
  <display-name>SironaSecurity</display-name>
  <web-resource-collection>
    <web-resource-name>SironaResources</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
     <role-name>sirona</role-name>
  </auth-constraint>
</security-constraint>
<login-config>
   <auth-method>BASIC</auth-method>
   <realm-name>sironaRealm</realm-name>
</login-config>

Note we could use the meta-role ** which means any logged user but you we used a real role name (sirona) to avoid to let a user logged to be able to access the webapp without any other check.

Now you just have to configure in your container the sironaRealm and ensure some users have the sirona role.

 

This is not the only way to access its JMX tree through your HTTP port but it stays quite simple and the setup doesn't take more than 10 minutes which is really appreciated when you need the info really quickly - like during a benchmark or in dev environment. Also note that Sirona has way more features and you can get more monitoring for free with almost not much more efforts, so don't hesitate to have a deeper look!