I have been trying to secure the JConsole access to my stand-alone Java Server which uses Spring 2.5, but it seems anyone that knows the URL and jmx port can access JConsole without being challenged for login credentials. The Sun docs say that by default authentication is enabled, but it seems not.

http://java.sun.com/j2se/1.5.0/docs/...tml#connecting

Anyway, I have been trying to secure it via spring-jmx-config.xml, since providing JVM parms when launching the server has no effect. Am I on the right track or can somebody tell me what I am doing wrong? The doc says if you give it a non-existent password location you will not have access, but JConsole continues to be wide open...

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans-2.0.dtd">
<beans>
<bean class="org.springframework.remoting.rmi.RmiRegistr yFactoryBean">
<property name="port" value="17999"/>
</bean>

<bean id="jmxServer" class="org.springframework.jmx.support.ConnectorSe rverFactoryBean">
<property name="serviceUrl" value="service:jmx:rmi://localhost/jndi/rmi://localhost:17999/Pipeline"/>
<property name="registrationBehaviorName" value="REGISTRATION_REPLACE_EXISTING"/>
<property name="environmentMap">
<map>
<entry key="com.sun.management.jmxremote.authenticate" value-ref="true"/>
<entry key="com.sun.management.jmxremote.password.file" value-ref="foo"/>
</map>
</property>
</bean>

<bean id="mbeanExporter" class="org.springframework.jmx.export.MBeanExporte r">
....
</bean>

</beans>

Thanks in advance to anyone who can point me in the right direction.