Jolokia may run as agent in various Java applications using -javaagent option.
These applications may use custom MBeanServerBuilder using -Djavax.management.builder.initial JVM option.

ActiveMQ Artemis uses such builder (org.apache.activemq.artemis.core.server.management.ArtemisRbacMBeanServerBuilder) which wraps access to platform MBeanServer using org.apache.activemq.artemis.core.server.management.ArtemisRbacInvocationHandler#ArtemisRbacInvocationHandler which applies RBAC on every operation.

The problem is that some of the MBeanServer access is performed by Jolokia itself outside of user request threads - this is related to initialization and history.

Let's try to wrap the initialization code within Subject.doAs() and see how it goes.

Mind that javax.security.auth.Subject#doAs() is marked as deprecated and for removal, because it's (a bit) related to Java Security Manager which is in the process of removal (see https://openjdk.org/jeps/411).

Since JDK 18 we have new methods (see https://inside.java/2024/07/08/quality-heads-up/):

• javax.security.auth.Subject#callAs() (replacement of Subject.doAs())
• javax.security.auth.Subject#current() (replacement of Subject.getSubject(AccessControlContext))

Linked issues:

• https://issues.redhat.com/browse/ENTMQBR-9335