While there appears to some documentation on how to expose JMX through various firewall and tunneling schemes, I sort of want the opposite. I want to ensure that JMX is only accessible to local machine. Unfortunately it appears that the "out of the box" management options do not allow restricting the ports to a local interface and netstat shows them listening on any/all interfaces.
http://java.sun.com/javase/6/docs/technotes/guides/management/agent.html#gdevf
I have to admit I am bewildered by the layers of indirection in JMX, the RMI registry, connectors, adapters, etc.
I would like to just turn it on and then tunnel through SSH as opposed to exposing it to the world and then having to perform arduous and superfluous user management and security configuration. It would be nice to be able to use a built in RMI registry and not have to run an external one.