7 Replies Latest reply on Nov 10, 2008 12:45 PM by Anil Saldanha

    securing jboss

    Aleksandar Kostadinov Novice

      Hallo, I'm trying to secure an AS5 server according to instructions http://www.jboss.org/community/docs/DOC-9955

      jmx-console starts asking for a password but I'm still able to control the server through jnp://[host]:1099 and for example shut it down (tested with shutdown.jar).

      Is user supposed to do something else to secure this interface or should this be a bug?

      Thanks!

        • 1. Re: securing jboss
          Peter Johnson Master

          Wrong security document (actually, not even a security document, more of a 'how to test this feature' document), try: http://www.jboss.org/community/docs/DOC-12188

          • 2. Re: securing jboss
            Aleksandar Kostadinov Novice

            Thanks for the pointer.
            I followed instructions from http://www.jboss.org/community/docs/DOC-12189

            Enabling the AuthenticationInterceptor did nothing. I was able to shutdown server without supplying username and password. (btw instruction doesn't differ from the link I initially posted)

            Enabling AuthorizationInterceptor made the shutdown script non-operational - failed with an exception no mather is user is specified or not.

            I wanted to try latest trunk but now shutdown fails with "Exception in thread "main" java.lang.NoClassDefFoundError: org/jboss/system/server/Server" ...

            Unfortunately I can't remember the old revision I was trying with so error messages there are now lost.

            Will wait for an operational trunk and will post again.

            • 3. Re: securing jboss
              Aleksandar Kostadinov Novice

              Actually trying with CR2 I get the same issue:
              1. enabling AuthenticationInterceptor does nothing
              and
              2. enabling AuthorizationInterceptor makes shutdown.sh output:

              Exception in thread "main" java.lang.SecurityException: No active Subject found, add th AuthenticationInterceptor
               at org.jboss.jmx.connector.invoker.AuthorizationInterceptor.checkAuthorization(AuthorizationInterceptor.java:150)
               at org.jboss.jmx.connector.invoker.AuthorizationInterceptor.invoke(AuthorizationInterceptor.java:114)
               at org.jboss.jmx.connector.invoker.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:109)
               at org.jboss.mx.server.Invocation.invoke(Invocation.java:90)
               at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
               at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
               at org.jboss.invocation.jrmp.server.JRMPProxyFactory.invoke(JRMPProxyFactory.java:179)
               at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
               at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
               at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
               at java.lang.reflect.Method.invoke(Method.java:585)
               at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
               at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
               at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
               at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
               at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
               at org.jboss.invocation.jrmp.server.JRMPInvoker$MBeanServerAction.invoke(JRMPInvoker.java:815)
               at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:416)
               at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
               at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
               at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
               at java.lang.reflect.Method.invoke(Method.java:585)
               at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
               at sun.rmi.transport.Transport$1.run(Transport.java:153)
               at java.security.AccessController.doPrivileged(Native Method)
               at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
               at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:466)
               at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:707)
               at java.lang.Thread.run(Thread.java:595)
               at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:247)
               at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:223)
               at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:126)
               at org.jboss.invocation.jrmp.server.JRMPInvoker_Stub.invoke(Unknown Source)
               at org.jboss.invocation.jrmp.interfaces.JRMPInvokerProxy.invoke(JRMPInvokerProxy.java:133)
               at org.jboss.invocation.InvokerInterceptor.invokeInvoker(InvokerInterceptor.java:244)
               at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:181)
               at org.jboss.jmx.connector.invoker.client.InvokerAdaptorClientInterceptor.invoke(InvokerAdaptorClientInterceptor.java:66)
               at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:87)
               at org.jboss.proxy.ClientMethodInterceptor.invoke(ClientMethodInterceptor.java:74)
               at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:101)
               at $Proxy1.invoke(Unknown Source)
               at org.jboss.Shutdown$ServerProxyHandler.invoke(Shutdown.java:270)
               at $Proxy2.shutdown(Unknown Source)
               at org.jboss.Shutdown.main(Shutdown.java:241)


              First there is a typo. It should read "add the AuthenticationInterceptor". But although it's added to the list of interceptors, it doesn't seem to do it's job for some reason.

              See the part with interceptors from my deploy/jmx-invoker-service.xml:
              <interceptors>
               <!-- Uncomment to require authenticated users -->
               <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
               securityDomain="java:/jaas/jmx-console"/>
               <interceptor code="org.jboss.jmx.connector.invoker.AuthorizationInterceptor"
               authorizingClass="org.jboss.jmx.connector.invoker.RolesAuthorization"></interceptor>
               <!-- Interceptor that deals with non-serializable results -->
               <interceptor code="org.jboss.jmx.connector.invoker.SerializableInterceptor"
               policyClass="StripModelMBeanInfoPolicy"/>
               </interceptors>
              


              In the wiki I see that I might need to write securitydomain instead of securityDomain but that ways I get bad deployment errors in server output so that's not a solution. Moreover "securityDomain" works just fine for EAP.

              • 4. Re: securing jboss
                Aleksandar Kostadinov Novice

                The shutdown issue was fixed by JBAS-6174 so I tried with latest trunk. The result is the same.

                • 5. Re: securing jboss
                  Peter Johnson Master

                  You are right. The security on the jmx invoker is broke.

                  • 7. Re: securing jboss
                    Anil Saldanha Master

                    We will take a look as to what broke it.