7 Replies Latest reply on Nov 10, 2008 12:45 PM by anil.saldhana

    securing jboss

    akostadinov
    akostadinov Nov 6, 2008 2:55 PM

      Hallo, I'm trying to secure an AS5 server according to instructions http://www.jboss.org/community/docs/DOC-9955

      jmx-console starts asking for a password but I'm still able to control the server through jnp://[host]:1099 and for example shut it down (tested with shutdown.jar).

      Is user supposed to do something else to secure this interface or should this be a bug?

      Thanks!

      • 5366 Views
      • Tags:
        • 1. Re: securing jboss
          peterj
          peterj Nov 6, 2008 4:53 PM (in response to akostadinov)

          Wrong security document (actually, not even a security document, more of a 'how to test this feature' document), try: http://www.jboss.org/community/docs/DOC-12188

            • Actions
          • 2. Re: securing jboss
            akostadinov
            akostadinov Nov 7, 2008 5:00 AM (in response to akostadinov)

            Thanks for the pointer.
            I followed instructions from http://www.jboss.org/community/docs/DOC-12189

            Enabling the AuthenticationInterceptor did nothing. I was able to shutdown server without supplying username and password. (btw instruction doesn't differ from the link I initially posted)

            Enabling AuthorizationInterceptor made the shutdown script non-operational - failed with an exception no mather is user is specified or not.

            I wanted to try latest trunk but now shutdown fails with "Exception in thread "main" java.lang.NoClassDefFoundError: org/jboss/system/server/Server" ...

            Unfortunately I can't remember the old revision I was trying with so error messages there are now lost.

            Will wait for an operational trunk and will post again.

              • Actions
            • 3. Re: securing jboss
              akostadinov
              akostadinov Nov 7, 2008 5:26 AM (in response to akostadinov)

              Actually trying with CR2 I get the same issue:
              1. enabling AuthenticationInterceptor does nothing
              and
              2. enabling AuthorizationInterceptor makes shutdown.sh output:

              Exception in thread "main" java.lang.SecurityException: No active Subject found, add th AuthenticationInterceptor
 at org.jboss.jmx.connector.invoker.AuthorizationInterceptor.checkAuthorization(AuthorizationInterceptor.java:150)
 at org.jboss.jmx.connector.invoker.AuthorizationInterceptor.invoke(AuthorizationInterceptor.java:114)
 at org.jboss.jmx.connector.invoker.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:109)
 at org.jboss.mx.server.Invocation.invoke(Invocation.java:90)
 at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
 at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
 at org.jboss.invocation.jrmp.server.JRMPProxyFactory.invoke(JRMPProxyFactory.java:179)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
 at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
 at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
 at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
 at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
 at org.jboss.invocation.jrmp.server.JRMPInvoker$MBeanServerAction.invoke(JRMPInvoker.java:815)
 at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:416)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
 at sun.rmi.transport.Transport$1.run(Transport.java:153)
 at java.security.AccessController.doPrivileged(Native Method)
 at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
 at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:466)
 at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:707)
 at java.lang.Thread.run(Thread.java:595)
 at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:247)
 at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:223)
 at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:126)
 at org.jboss.invocation.jrmp.server.JRMPInvoker_Stub.invoke(Unknown Source)
 at org.jboss.invocation.jrmp.interfaces.JRMPInvokerProxy.invoke(JRMPInvokerProxy.java:133)
 at org.jboss.invocation.InvokerInterceptor.invokeInvoker(InvokerInterceptor.java:244)
 at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:181)
 at org.jboss.jmx.connector.invoker.client.InvokerAdaptorClientInterceptor.invoke(InvokerAdaptorClientInterceptor.java:66)
 at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:87)
 at org.jboss.proxy.ClientMethodInterceptor.invoke(ClientMethodInterceptor.java:74)
 at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:101)
 at $Proxy1.invoke(Unknown Source)
 at org.jboss.Shutdown$ServerProxyHandler.invoke(Shutdown.java:270)
 at $Proxy2.shutdown(Unknown Source)
 at org.jboss.Shutdown.main(Shutdown.java:241)


              First there is a typo. It should read "add the AuthenticationInterceptor". But although it's added to the list of interceptors, it doesn't seem to do it's job for some reason.

              See the part with interceptors from my deploy/jmx-invoker-service.xml: 
              <interceptors>
 <!-- Uncomment to require authenticated users -->
 <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
 securityDomain="java:/jaas/jmx-console"/>
 <interceptor code="org.jboss.jmx.connector.invoker.AuthorizationInterceptor"
 authorizingClass="org.jboss.jmx.connector.invoker.RolesAuthorization"></interceptor>
 <!-- Interceptor that deals with non-serializable results -->
 <interceptor code="org.jboss.jmx.connector.invoker.SerializableInterceptor"
 policyClass="StripModelMBeanInfoPolicy"/>
 </interceptors>


              In the wiki I see that I might need to write securitydomain instead of securityDomain but that ways I get bad deployment errors in server output so that's not a solution. Moreover "securityDomain" works just fine for EAP.

                • Actions
              • 4. Re: securing jboss
                akostadinov
                akostadinov Nov 7, 2008 8:57 AM (in response to akostadinov)

                The shutdown issue was fixed by JBAS-6174 so I tried with latest trunk. The result is the same.

                  • Actions
                • 5. Re: securing jboss
                  peterj
                  peterj Nov 7, 2008 5:44 PM (in response to akostadinov)

                  You are right. The security on the jmx invoker is broke.

                    • Actions
                  • 6. Re: securing jboss
                    akostadinov
                    akostadinov Nov 9, 2008 8:43 AM (in response to akostadinov)

                    For the interested
                    http://jira.jboss.org/jira/browse/JBAS-6181

                      • Actions
                    • 7. Re: securing jboss
                      anil.saldhana
                      anil.saldhana Nov 10, 2008 12:45 PM (in response to akostadinov)

                      We will take a look as to what broke it.

                        • Actions