1 Reply Latest reply on May 30, 2006 2:54 PM by tgideon

    Trouble securing RMI connection to MBeans from external JMX

    errant01
    errant01 Jun 27, 2005 11:27 AM

      Here's my situation, I have an external client providing JMX console services (its MC4J) that connects to my JBoss 3.2.7 app server through RMI. I need to secure this connection with a username/password.

      After hours of poring over google results and the JBoss 3.2.x docs, I think I've got an idea of what needs to change, but what I need is help with specifics. If anyone has done something like this, could you either provide some examples or post some links to information about solving this particular problem?

      So far, what I've discovered is:
      a) there is a jboss-service.xml in [JBOSS_HOME]\server\gemserver \deploy\jmx-invoker-adaptor-server.sar\META-INF that controls the behavior of the remote invoker adaptor.
      b) Uncommenting the AuthenticationInterceptor descriptor from the invoke operation in the xml seems to cause the Invocation to be authenticated. (I've removed the AuthorizationInterceptor since all I need is a succesful login, no roles are used at this time)
      ----------

      <operation>
 <description>The detached invoker entry point</description>
 <name>invoke</name>
 <parameter>
 <description>The method invocation context</description>
 <name>invocation</name>
 <type>org.jboss.invocation.Invocation</type>
 </parameter>
 <return-type>java.lang.Object</return-type>
 <!-- Uncomment to require authenticated users . Also an AuthorizationInterceptor
 is provided which whill help in authorizing users to make JMX calls at the
 MBean operations level. You will need to write a class that overrides a method
 with the signature
 "public Boolean authorize( Principal caller, Collection roles,String objectname,String opname)"
 is needed to be defined in the attribute 'authorizingClass' -->
 <descriptors>
 <interceptors>
 <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/jmx-console"/>
 </interceptors>
 </descriptors>
</operation>

      ----------
      What I get from the connecting application is an error:
      java.lang.RuntimeException: java.lang.SecurityException: Failed to authenticate principal=null, securityDomain=jmx-console

      I have provided the principal and credentials (username/password) to the the connecting app, but for some reason the principal is not making it into the Invocation.

      Questions:
      1) Where are the usernames and passwords supposed to be defined? For the web console they are defined in properties files at [JBOSS_HOME]\server
      \gemserver\deploy\jmx-console.war\WEB-INF\classes named jmx-console-rolesand jmx-console-users. Is there an equivalent way to define them for the Detached Invoker ?

      2) Is this a case where the remote jmx client is not providing the creds? (I think not, and I'm in the process of asking them if thats it)

      3) Is there something else I'm supposed to do to require creds be supplied for RMI invocations of mbeans?

      • 3754 Views
      • Tags:
        • 1. Re: Trouble securing RMI connection to MBeans from external
          tgideon
          tgideon May 30, 2006 2:54 PM (in response to errant01)

          I am having this exact same problem, buth with 4.0.3SP1. My additional question, since the JMX invoker works fine with the shutdown.sh script when I have enabled security, is whether this is a JBoss problem or an MC4J problem? I am suspecting the latter, that for whatever reasons, MC4J is not correctly capturing the principal from its property editor.

            • Actions