Here's my situation, I have an external client providing JMX console services (its MC4J) that connects to my JBoss 3.2.7 app server through RMI. I need to secure this connection with a username/password.
After hours of poring over google results and the JBoss docs, I think I've got an idea of what needs to change, but what I need is help with specifics. If anyone has done something like this, could you either provide some examples or post some links to information about solving this particular problem?
So far, what I've discovered is: a) there is a jboss-service.xml in [JBOSS_HOME]\server\gemserver \deploy\jmx-invoker-adaptor-server.sar\META-INF that controls the behavior of the remote invoker adaptor. b) Uncommenting the AuthenticationInterceptor descriptor from the invoke operation in the xml causes the Invocation to be authenticated. ---------- <operation> <description>The detached invoker entry point</description> <name>invoke</name> <parameter> <description>The method invocation context</description> <name>invocation</name> <type>org.jboss.invocation.Invocation</type> </parameter> <return-type>java.lang.Object</return-type> <!-- Uncomment to require authenticated users . Also an AuthorizationInterceptor is provided which whill help in authorizing users to make JMX calls at the MBean operations level. You will need to write a class that overrides a method with the signature "public Boolean authorize( Principal caller, Collection roles,String objectname,String opname)" is needed to be defined in the attribute 'authorizingClass' --> <descriptors> <interceptors> <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/jmx-console"/> </interceptors> </descriptors>
I have provided the principal and credentials (username/password) to the the connecting app, but for some reason at least the principal is not making it into the Invocation.
Questions: 1) Where are the usernames and passwords supposed to be defined? For the web console they are defined in properties files at [JBOSS_HOME]\server \gemserver\deploy\jmx-console.war\WEB-INF\classes named jmx-console-rolesand jmx-console-users. Is there an equivalent way to define them for the Detached Invoker ?
2) Is this a case where the remote jmx client is not providing the creds? (I think not, and I'm in the process of asking them if thats it)
3) Is there something else I'm supposed to do to require creds be supplied for RMI invocations of mbeans?
subject: Need help implementing security on RMI based JMX console client connection