Openfire JMX → HTTP Bridge

What this server provides

• HTTP/JSON access to JMX MBeans in the running Openfire instance (via Jolokia).
• A small, stable API surface that monitoring systems (Prometheus exporters, scripts, dashboards) can poll.
• Optional integration points for authentication, CORS, and request filtering so you can operate in secure environments.

Primary endpoints

Assuming the plugin is mounted at / on your Openfire admin webserver, typical endpoints are:

• GET / - This index page (you are here).
• POST /jolokia/ - Jolokia JSON POST API (bulk/read/exec requests).
• GET /jolokia/read/<mbean>/<attribute> - Jolokia read by path (simple GET).
• GET /health - Health/status endpoint returning a minimal JSON payload (plugin alive, Jolokia available).
• GET /version - Plugin version and brief runtime info.

Example usage

Basic read of an MBean attribute using curl (GET):

curl -u admin:secret \
  "https://example.org:9291/jolokia/read/org.igniterealtime.openfire:type=Statistic,name=sessions"

GET-style Jolokia request that reads multiple attributes in one call:

curl -u admin:secret \
  "https://example.org:9291/jolokia/read/org.igniterealtime.openfire:type=Statistic,name=*"

Refer to the Jolokia protocol documentation for additional details.

Configuration

The Openfire admin console can be used to configure this bridge.

Authentication & Authorization

This bridge must be treated as sensitive: it exposes internal runtime state. Recommended deployment practices:

• Protect endpoints with authentication. Two options are provided: basic authentication and shared secret.
• Limit access by network (firewall rules, reverse proxy allowlists) so only trusted monitoring hosts can reach the plugin.
• Prefer TLS (HTTPS) for all traffic. Do not expose this endpoint over plain HTTP on public networks.

Important: Do not enable anonymous access to the Jolokia endpoint. By default, the plugin should require authentication.