Trouble securing RMI connection to MBeans from external JMX
errant01 Jun 27, 2005 11:27 AMHere's my situation, I have an external client providing JMX console services (its MC4J) that connects to my JBoss 3.2.7 app server through RMI. I need to secure this connection with a username/password.
After hours of poring over google results and the JBoss 3.2.x docs, I think I've got an idea of what needs to change, but what I need is help with specifics. If anyone has done something like this, could you either provide some examples or post some links to information about solving this particular problem?
So far, what I've discovered is:
a) there is a jboss-service.xml in [JBOSS_HOME]\server\gemserver \deploy\jmx-invoker-adaptor-server.sar\META-INF that controls the behavior of the remote invoker adaptor.
b) Uncommenting the AuthenticationInterceptor descriptor from the invoke operation in the xml seems to cause the Invocation to be authenticated. (I've removed the AuthorizationInterceptor since all I need is a succesful login, no roles are used at this time)
----------
<operation> <description>The detached invoker entry point</description> <name>invoke</name> <parameter> <description>The method invocation context</description> <name>invocation</name> <type>org.jboss.invocation.Invocation</type> </parameter> <return-type>java.lang.Object</return-type> <!-- Uncomment to require authenticated users . Also an AuthorizationInterceptor is provided which whill help in authorizing users to make JMX calls at the MBean operations level. You will need to write a class that overrides a method with the signature "public Boolean authorize( Principal caller, Collection roles,String objectname,String opname)" is needed to be defined in the attribute 'authorizingClass' --> <descriptors> <interceptors> <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/jmx-console"/> </interceptors> </descriptors> </operation>
----------
What I get from the connecting application is an error:
java.lang.RuntimeException: java.lang.SecurityException: Failed to authenticate principal=null, securityDomain=jmx-console
I have provided the principal and credentials (username/password) to the the connecting app, but for some reason the principal is not making it into the Invocation.
Questions:
1) Where are the usernames and passwords supposed to be defined? For the web console they are defined in properties files at [JBOSS_HOME]\server
\gemserver\deploy\jmx-console.war\WEB-INF\classes named jmx-console-rolesand jmx-console-users. Is there an equivalent way to define them for the Detached Invoker ?
2) Is this a case where the remote jmx client is not providing the creds? (I think not, and I'm in the process of asking them if thats it)
3) Is there something else I'm supposed to do to require creds be supplied for RMI invocations of mbeans?