You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<p>Hawtio consists of two main components: the server runtime and client console. The server runtime is the Java backend that runs on the server side, and the client console is the JavaScript frontend that is deployed and runs on the browser.</p>
194
200
</div>
201
+
<divclass="admonitionblock note">
202
+
<table>
203
+
<tr>
204
+
<tdclass="icon">
205
+
<iclass="fa icon-note" title="Note"></i>
206
+
</td>
207
+
<tdclass="content">
208
+
More information about the components can be found in <ahref="developers/architecture.html" class="xref page">Hawtio Architecture</a> chapter.
209
+
</td>
210
+
</tr>
211
+
</table>
212
+
</div>
195
213
<divclass="paragraph">
196
214
<p>Therefore, two types of configuration are provided for Hawtio:</p>
<tdclass="tableblock halign-left valign-top"><pclass="tableblock"><code>false</code> in SpringBoot and WAR deployments, <code>true</code> in Quarkus deployments.</p></td>
249
267
<tdclass="tableblock halign-left valign-top"><pclass="tableblock">With this property set to <code>true</code>, <code>ProxyServlet</code> (<code>/hawtio/proxy/*</code>) can be disabled. This makes Connect plugin unavailable, which means Hawtio can no longer connect to remote JVMs, but sometimes users might want to do so because of security if Connect plugin is not used.</p></td>
<tdclass="tableblock halign-left valign-top"><pclass="tableblock">Whether local address probing for proxy allowlist is enabled or not upon startup. Set this property to <code>false</code> to disable it.</p></td>
272
+
<tdclass="tableblock halign-left valign-top"><pclass="tableblock">Whether <ahref="https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/net/NetworkInterface.html#getNetworkInterfaces()">all local addresses</a>for proxy allowlist should be allowed. Set this property to <code>false</code> to use only <code>127.0.0.1</code> and <code>localhost</code> addresses.</p></td>
<tdclass="tableblock halign-left valign-top"><pclass="tableblock">Comma-separated allowlist for target hosts that Connect plugin can connect to via <code>ProxyServlet</code>. All hosts that are not listed in this allowlist are denied to connect for security reasons. This option can be set to <code>*</code> to allow all hosts. Prefixing an element of the list with <code>"r:"</code> allows to define a regexp (example: <code>localhost,r:myserver[0-9]+.mydomain.com</code>)</p></td>
277
+
<tdclass="tableblock halign-left valign-top"><pclass="tableblock">Comma-separated allowlist for target hosts that Connect plugin can connect to via <code>ProxyServlet</code>. All hosts that are not listed in this allowlist are forbidden to connect to for security reasons. This option can be set to <code>*</code> to allow all hosts. Prefixing an element of the list with <code>"r:"</code> allows to define a regexp (example: <code>localhost,r:myserver[0-9]+.mydomain.com</code>)</p></td>
<tdclass="tableblock halign-left valign-top"><pclass="tableblock">The scheme of the redirect URL to login page when authentication is required.</p></td>
292
+
<tdclass="tableblock halign-left valign-top"><pclass="tableblock">The scheme of the redirect URL to login page when authentication is required. When this scheme is not configured, Hawtio sends redirects in the form
293
+
of <code>/hawtio/login</code> instead of absolute address with host name and port number.</p></td>
<tdclass="tableblock halign-left valign-top"><pclass="tableblock">The maximum time interval, in seconds, that the servlet container will keep this session open between client accesses. If this option is not configured, then Hawtio uses the default session timeout of the servlet container.</p></td>
<tdclass="tableblock halign-left valign-top"><pclass="tableblock">Whether CORS filter is enabled and checks for permitted <code>Origin</code> HTTP header values.</p></td>
<tdclass="tableblock halign-left valign-top"><pclass="tableblock">When <code>hawtio.http.enableCORS</code> option is enabled, Hawtio responds to <ahref="https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request">CORS pre-flight requests</a> with CORS headers. This options allows to set the value returned in <code>Access-Control-Allow-Origin</code> response header.</p></td>
<tdclass="tableblock halign-left valign-top"><pclass="tableblock">What value Hawtio sends with <ahref="https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Referrer-Policy"><code>Referrer-Policy</code></a> response header.</p></td>
<h2id="_configuring_jolokia_through_system_properties"><aclass="anchor" href="#_configuring_jolokia_through_system_properties"></a>Configuring Jolokia through System properties</h2>
301
367
<divclass="sectionbody">
302
368
<divclass="paragraph">
303
-
<p>The Jolokia agent is deployed automatically with<code>io.hawt.web.JolokiaConfiguredAgentServlet</code> that extends Jolokia native <code>org.jolokia.server.core.http.AgentServlet</code> class, defined in <code>hawtio-war/WEB-INF/web.xml</code>.</p>
369
+
<p>The Jolokia agent is deployed automatically as<code>org.jolokia.server.core.http.AgentServlet</code> servlet class, defined in <code>hawtio-war/WEB-INF/web.xml</code>.</p>
304
370
</div>
305
371
<divclass="paragraph">
306
372
<p>If you want to customize the Jolokia Servlet with the configuration parameters that are defined in the <ahref="https://jolokia.org/reference/html/manual/agents.html#agent-war-init-params">Jolokia documentation</a>, you can pass them as System properties prefixed with <code>jolokia.</code>. For example:</p>
<p>For some runtimes that support Hawtio RBAC (role-based access control) <supclass="footnote">[<aid="_footnoteref_1" class="footnote" href="#_footnotedef_1" title="View footnote.">1</a>]</sup>, Hawtio provides a custom <ahref="https://jolokia.org/reference/html/manual/security.html#security-restrictor">Jolokia restrictor</a> implementation that provides an additional layer of protection over JMX operations based on the ACL (access control list) policy.</p>
317
-
</div>
318
-
<divclass="admonitionblock warning">
319
-
<table>
320
-
<tr>
321
-
<tdclass="icon">
322
-
<iclass="fa icon-warning" title="Warning"></i>
323
-
</td>
324
-
<tdclass="content">
325
-
You cannot use Hawtio RBAC with Quarkus and Spring Boot yet. Enabling the RBAC restrictor on those runtimes only imposes additional load without any gains.
326
-
</td>
327
-
</tr>
328
-
</table>
329
-
</div>
330
-
<divclass="paragraph">
331
-
<p>To activate the Hawtio RBAC restrictor, configure the Jolokia parameter <code>restrictorClass</code> via System property to use <code>io.hawt.web.RBACRestrictor</code> as follows:</p>
0 commit comments