From 6a092177ba5b3117153633ca9f83df3522d493a3 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Mon, 15 Jun 2015 18:54:51 +0200
Subject: [PATCH] library/roles/tomcat,
 library/roles/tomcat-multiple-instances: Fix
 https://issue.openaire.research-infrastructures.eu/issues/1059 providing a
 way to disable the jmx additional ports and permit to open the jmx interface
 on localhost only.

---
 tomcat-multiple-instances/defaults/main.yml     |  5 +++++
 .../templates/tomcat-default.j2                 | 17 ++++++++++++++---
 tomcat/defaults/main.yml                        |  1 +
 tomcat/templates/tomcat-default.j2              |  8 +++++---
 4 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/tomcat-multiple-instances/defaults/main.yml b/tomcat-multiple-instances/defaults/main.yml
index c1f8cd0f..49cbba47 100644
--- a/tomcat-multiple-instances/defaults/main.yml
+++ b/tomcat-multiple-instances/defaults/main.yml
@@ -36,6 +36,11 @@ tomcat_m_enable_remote_debugging: False
 tomcat_m_remote_debugging_port: 8100
 tomcat_m_jmx_enabled: False
 tomcat_m_jmx_auth_enabled: False
+tomcat_m_jmx_use_ssl: False
+# The following works with jdk >= 7.0.25 only
+tomcat_m_jmx_disable_additional_ports: True
+tomcat_m_jmx_localhost_only: False
+
 #tomcat_m_jmx_auth_dir: '{{ tomcat_m_instances_base_path }}'
 # tomcat_m_jmx_monitorpass: define_in_a_vault_file
 # tomcat_m_jmx_controlpass: define_in_a_vault_file
diff --git a/tomcat-multiple-instances/templates/tomcat-default.j2 b/tomcat-multiple-instances/templates/tomcat-default.j2
index f820c6c0..0152cd9b 100644
--- a/tomcat-multiple-instances/templates/tomcat-default.j2
+++ b/tomcat-multiple-instances/templates/tomcat-default.j2
@@ -12,16 +12,27 @@ JAVA_OPTS="{{ item.java_gc_opts }} $JAVA_OPTS"
 JAVA_OPTS="${JAVA_OPTS} {{ item.other_java_opts }}"
 {% endif %}
 {% if item.jmx_enabled is defined and item.jmx_enabled %}
-JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port={{ item.jmx_port }} -Dcom.sun.management.jmxremote.ssl=false"
+JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port={{ item.jmx_port }}"
+{% if item.jmx_use_ssl is defined and item.jmx_use_ssl %}
+JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.ssl=true"
+{% else %}
+JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.ssl=false"
+{% endif %}
+{% if item.jmx_localhost_only is defined and item.jmx_localhost_only %}
+JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.local.only=true"
+{% endif %}
 {% if item.jmx_auth_enabled is defined and item.jmx_auth_enabled %}
 JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.password.file={{ item.jmx_auth_dir }}/jmxremote.password -Dcom.sun.management.jmxremote.access.file={{ item.jmx_auth_dir }}/jmxremote.access"
 {% else %}
 JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.authenticate=false"
 {% endif %}
+{% if item.jmx_disable_additional_ports is defined and item.jmx_disable_additional_ports %}
+JAVA_OPTS="${JAVA_OPTS} -XX:+DisableAttachMechanism -Dcom.sun.management.jmxremote.rmi.port={{ item.jmx_port }}"
+{% endif %}
+
 {% endif %}
 {% if item.remote_debugging is defined and item.remote_debugging %}
-# To enable remote debugging uncomment the following line.
-# You will then be able to use a java debugger on port {{ item.remote_debugging_port }}.
+# You will be able to use a java debugger on port {{ item.remote_debugging_port }}.
 JAVA_OPTS="${JAVA_OPTS} -Xdebug -Xrunjdwp:transport=dt_socket,address={{ item.remote_debugging_port }},server=y,suspend=n"
 {% endif %}
 # WARNING: This directory will be destroyed and recreated at every startup !
diff --git a/tomcat/defaults/main.yml b/tomcat/defaults/main.yml
index dfdc8efc..e47af9da 100644
--- a/tomcat/defaults/main.yml
+++ b/tomcat/defaults/main.yml
@@ -36,6 +36,7 @@ tomcat_tmp_dir: '{{ tomcat_catalina_base_dir }}/tmp/tomcat'
 # JMX and debugging
 tomcat_enable_remote_debugging: False
 tomcat_remote_debugging_port: 8000
+#
 tomcat_jmx_enabled: False
 tomcat_jmx_auth_enabled: False
 tomcat_jmx_port: 8082
diff --git a/tomcat/templates/tomcat-default.j2 b/tomcat/templates/tomcat-default.j2
index 127207d7..88f5d7ca 100644
--- a/tomcat/templates/tomcat-default.j2
+++ b/tomcat/templates/tomcat-default.j2
@@ -24,16 +24,18 @@ JAVA_OPTS="${JAVA_OPTS} {{ tomcat_java_gc_opts }}"
 JAVA_OPTS="${JAVA_OPTS} {{ tomcat_other_java_opts }}"
 {% endif %}
 {% if tomcat_jmx_enabled %}
-JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port={{ tomcat_jmx_port }} -Dcom.sun.management.jmxremote.ssl=false"
+JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port={{ tomcat_jmx_port }} -Dcom.sun.management.jmxremote.ssl={{ tomcat_jmx_use_ssl }} -Dcom.sun.management.jmxremote.local.only={{ tomcat_jmx_localhost_only }}"
 {% if tomcat_jmx_auth_enabled %}
 JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.password.file={{ tomcat_jmx_auth_dir }}/jmxremote.password -Dcom.sun.management.jmxremote.access.file={{ tomcat_jmx_auth_dir }}/jmxremote.access"
 {% else %}
 JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.authenticate=false"
 {% endif %}
+{% if tomcat_jmx_disable_additional_ports %}
+JAVA_OPTS="${JAVA_OPTS} -XX:+DisableAttachMechanism -Dcom.sun.management.jmxremote.rmi.port={{ tomcat_jmx_port }}"
+{% endif %}
 {% endif %}
 {% if tomcat_enable_remote_debugging %}
-# To enable remote debugging uncomment the following line.
-# You will then be able to use a java debugger on port {{ tomcat_remote_debugging_port }}.
+# You will be able to use a java debugger on port {{ tomcat_remote_debugging_port }}.
 JAVA_OPTS="${JAVA_OPTS} -Xdebug -Xrunjdwp:transport=dt_socket,address={{ tomcat_remote_debugging_port }},server=y,suspend=n"
 {% endif %}
 # Location of the JVM temporary directory