--- a/jdk/src/share/lib/management/jmxremote.access	Fri Mar 06 12:40:38 2009 +0300
+++ b/jdk/src/share/lib/management/jmxremote.access	Mon Mar 09 23:50:11 2009 +0100
@@ -8,7 +8,7 @@
 # passwords.  To be functional, a role must have an entry in
 # both the password and the access files.
 #
-# Default location of this file is $JRE/lib/management/jmxremote.access
+# The default location of this file is $JRE/lib/management/jmxremote.access
 # You can specify an alternate location by specifying a property in 
 # the management config file $JRE/lib/management/management.properties
 # (See that file for details)
@@ -16,7 +16,7 @@
 # The file format for password and access files is syntactically the same
 # as the Properties file format.  The syntax is described in the Javadoc
 # for java.util.Properties.load.
-# Typical access file has multiple  lines, where each line is blank,
+# A typical access file has multiple lines, where each line is blank,
 # a comment (like this one), or an access control entry.
 #
 # An access control entry consists of a role name, and an
@@ -29,10 +29,38 @@
 #                   role can read measurements but cannot perform any action
 #                   that changes the environment of the running program.
 #       "readwrite" grants access to read and write attributes of MBeans,
-#                   to invoke operations on them, and to create or remove them.
-#		    This access should be granted to only trusted clients, 
-#                   since they can potentially interfere with the smooth
-#		    operation of a running program 
+#                   to invoke operations on them, and optionally
+#                   to create or remove them. This access should be granted
+#                   only to trusted clients, since they can potentially
+#                   interfere with the smooth operation of a running program.
+#
+# The "readwrite" access level can optionally be followed by the "create" and/or
+# "unregister" keywords.  The "unregister" keyword grants access to unregister
+# (delete) MBeans.  The "create" keyword grants access to create MBeans of a
+# particular class or of any class matching a particular pattern.  Access
+# should only be granted to create MBeans of known and trusted classes.
+#
+# For example, the following entry would grant readwrite access
+# to "controlRole", as well as access to create MBeans of the class
+# javax.management.monitor.CounterMonitor and to unregister any MBean:
+#  controlRole readwrite \
+#              create javax.management.monitor.CounterMonitorMBean \
+#              unregister
+# or equivalently:
+#  controlRole readwrite unregister create javax.management.monitor.CounterMBean
+#
+# The following entry would grant readwrite access as well as access to create
+# MBeans of any class in the packages javax.management.monitor and
+# javax.management.timer:
+#  controlRole readwrite \
+#              create javax.management.monitor.*,javax.management.timer.* \
+#              unregister
+#
+# The \ character is defined in the Properties file syntax to allow continuation
+# lines as shown here.  A * in a class pattern matches a sequence of characters
+# other than dot (.), so javax.management.monitor.* matches
+# javax.management.monitor.CounterMonitor but not
+# javax.management.monitor.foo.Bar.
 #
 # A given role should have at most one entry in this file.  If a role
 # has no entry, it has no access.
@@ -42,7 +70,10 @@
 #
 # Default access control entries:
 # o The "monitorRole" role has readonly access.  
-# o The "controlRole" role has readwrite access.
+# o The "controlRole" role has readwrite access and can create the standard
+#   Timer and Monitor MBeans defined by the JMX API.
 
 monitorRole   readonly
-controlRole   readwrite
+controlRole   readwrite \
+              create javax.management.monitor.*,javax.management.timer.* \
+              unregister