wood burning stoves*
The moose likes JBoss/WildFly and the fly likes Need help implementing security on RMI based JMX console client connection Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Need help implementing security on RMI based JMX console client connection" Watch "Need help implementing security on RMI based JMX console client connection" New topic
Author

Need help implementing security on RMI based JMX console client connection

Sean Stephens
Ranch Hand

Joined: Oct 25, 2004
Posts: 40
Here's my situation, I have an external client providing JMX console services (its MC4J) that connects to my JBoss 3.2.7 app server through RMI. I need to secure this connection with a username/password.

After hours of poring over google results and the JBoss docs, I think I've got an idea of what needs to change, but what I need is help with specifics. If anyone has done something like this, could you either provide some examples or post some links to information about solving this particular problem?

So far, what I've discovered is:
a) there is a jboss-service.xml in [JBOSS_HOME]\server\gemserver \deploy\jmx-invoker-adaptor-server.sar\META-INF that controls the behavior of the remote invoker adaptor.
b) Uncommenting the AuthenticationInterceptor descriptor from the invoke operation in the xml causes the Invocation to be authenticated.
----------
<operation>
<description>The detached invoker entry point</description>
<name>invoke</name>
<parameter>
<description>The method invocation context</description>
<name>invocation</name>
<type>org.jboss.invocation.Invocation</type>
</parameter>
<return-type>java.lang.Object</return-type>
<!-- Uncomment to require authenticated users . Also an AuthorizationInterceptor
is provided which whill help in authorizing users to make JMX calls at the
MBean operations level. You will need to write a class that overrides a method
with the signature
"public Boolean authorize( Principal caller, Collection roles,String objectname,String opname)"
is needed to be defined in the attribute 'authorizingClass' -->
<descriptors>
<interceptors>
<interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
securityDomain="java:/jaas/jmx-console"/>
</interceptors>
</descriptors>

</operation>
----------
What I get from the connecting application is an error:
java.lang.RuntimeException: java.lang.SecurityException: Failed to authenticate principal=null, securityDomain=jmx-console

I have provided the principal and credentials (username/password) to the the connecting app, but for some reason at least the principal is not making it into the Invocation.

Questions:
1) Where are the usernames and passwords supposed to be defined? For the web console they are defined in properties files at [JBOSS_HOME]\server
\gemserver\deploy\jmx-console.war\WEB-INF\classes named jmx-console-rolesand jmx-console-users. Is there an equivalent way to define them for the Detached Invoker ?

2) Is this a case where the remote jmx client is not providing the creds? (I think not, and I'm in the process of asking them if thats it)

3) Is there something else I'm supposed to do to require creds be supplied for RMI invocations of mbeans?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Need help implementing security on RMI based JMX console client connection