Disabling access to MBeans

You may wish to disable or restrict access to MBeans in security-conscious environments. You can do this using either of the following techniques.

The first technique is to use the stopManagement() method of ManagementMBean. This method unregisters all of the Derby MBeans except ManagementMBean itself, so it does not turn access off completely.

The second technique is to run the Network Server with a custom security policy that does not grant derby.jar the permissions needed to register MBeans. For example, you can modify the Network Server's basic policy by commenting out this section:

// Allows access to Derby's built-in MBeans, within the domain
// org.apache.derby.
// Derby must be allowed to register and unregister these MBeans.
// It is possible to allow access only to specific MBeans, attributes or
// operations. To fine tune this permission, see the javadoc of
// javax.management.MBeanPermission or the JMX Instrumentation and Agent
// Specification.
//
permission javax.management.MBeanPermission
    "org.apache.derby.*#[org.apache.derby:*]",
    "registerMBean,unregisterMBean";

If the permission to register MBeans is not granted to derby.jar, Derby will silently skip starting the management service at boot time.

See "Configuring Java security" in the Derby Security Guide for information about customizing the Network Server's security policy.

Related reference
Enabling remote JMX with no authentication or SSL
Enabling remote JMX with password authentication only
Enabling remote JMX with password authentication and SSL
Simple authorization using an access file
Fine-grained authorization using a security policy