2 Replies Latest reply on Sep 20, 2006 5:19 AM by Carl Abramsson

    unable to secure jmx invoker

    erich liebmann Newbie

      hi,

      i am trying to secure the jmx invoker as described in the wiki [1] and the "jboss: a developer's notebook" [2] book. i enabled the "AuthenticationInterceptor" in the "jmx-invoker-service.xml" configuration file by uncommented the following interceptor definition for the "invoke" operation of the "jboss.jmx:type=adaptor,name=Invoker" mbean.

      <descriptors>
       <interceptors>
       <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/jmx-console"/>
       </interceptors>
      </descriptors>
      


      unfotunately access to the jmx invoker is still granted. in other words, it's still possible to shutdown the server using the shutdown.sh script (without specifying a username/password). furthermore it is possible to terminate the server by accessing the jmx invoker directly via jndi:

      MBeanServerConnection server = (MBeanServerConnection) jndiInitialContext.lookup("jmx/invoker/RMIAdaptor");
      String [] outval = null;
      server.invoke(new ObjectName("jboss.system:type=Server"), "shutdown", new Object[0], outval);
      


      specifying an invalid name for the "AuthenticationInterceptor" class results in an error message which indicates that the interceptor is actually loaded.

      i already tried to define a new security domain exclusively used to protect the jmx invoker. this security domain is, however, not bound to the jndi tree. i suspect that for some reason the AuthenticationIndicator doesn't bind correctly to the security domain specified in the configuration file. using a security domain already in use by the web and jmx console doen't help either even though this security domain already protects the consoles.

      i am running jboss as 4.0.3 sp1 on linux.

      best regards
      erich

      [1] http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheInvokers
      [2] http://www.oreilly.com/catalog/jbossadn/

        • 1. Re: unable to secure jmx invoker
          erich liebmann Newbie

          hi,

          i just set the org.jboss and org.jboss.management categories to debug and found out that the following exception occures while deploying the jmx invoker:

          2006-02-01 14:11:48,864 DEBUG [org.jboss.mx.modelmbean.ModelMBeanInvoker] Failed to invoke ctor(MBeanInvoker) for: class org.jboss.jmx.connector.invoker.AuthenticationInterceptor
          java.lang.NoSuchMethodException: org.jboss.jmx.connector.invoker.AuthenticationInterceptor.<init>(org.jboss.mx.server.MBeanInvoker)
           at java.lang.Class.getConstructor0(Class.java:2647)
           at java.lang.Class.getConstructor(Class.java:1629)
           at org.jboss.mx.modelmbean.ModelMBeanInvoker.getInterceptors(ModelMBeanInvoker.java:714)
           at org.jboss.mx.modelmbean.ModelMBeanInvoker.configureInterceptorStack(ModelMBeanInvoker.java:655)
           at org.jboss.mx.modelmbean.XMBean.configureInterceptorStack(XMBean.java:385)
           at org.jboss.mx.modelmbean.ModelMBeanInvoker.init(ModelMBeanInvoker.java:488)
           at org.jboss.mx.modelmbean.ModelMBeanInvoker.invokePreRegister(ModelMBeanInvoker.java:470)
           at org.jboss.mx.server.AbstractMBeanInvoker.preRegister(AbstractMBeanInvoker.java:635)
           at org.jboss.mx.server.registry.BasicMBeanRegistry.invokePreRegister(BasicMBeanRegistry.java:678)
           at org.jboss.mx.server.registry.BasicMBeanRegistry.registerMBean(BasicMBeanRegistry.java:196)
           at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:585)
           at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
           at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
           at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:118)
           at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
           at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:127)
           at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
           at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
           at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
           at org.jboss.mx.server.MBeanServerImpl$3.run(MBeanServerImpl.java:1407)
           at java.security.AccessController.doPrivileged(Native Method)
           at org.jboss.mx.server.MBeanServerImpl.registerMBean(MBeanServerImpl.java:1402)
           at org.jboss.mx.server.MBeanServerImpl.registerMBean(MBeanServerImpl.java:1335)
           at org.jboss.mx.server.MBeanServerImpl.createMBean(MBeanServerImpl.java:330)
           at org.jboss.system.ServiceCreator.install(ServiceCreator.java:148)
           at org.jboss.system.ServiceConfigurator.internalInstall(ServiceConfigurator.java:431)
           at org.jboss.system.ServiceConfigurator.install(ServiceConfigurator.java:153)
           at org.jboss.system.ServiceController.install(ServiceController.java:215)
           at sun.reflect.GeneratedMethodAccessor8.invoke(Unknown Source)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:585)
           at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
           at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
           at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
           at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
           at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
           at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
           at $Proxy4.install(Unknown Source)
           at org.jboss.deployment.SARDeployer.create(SARDeployer.java:232)
           at org.jboss.deployment.MainDeployer.create(MainDeployer.java:935)
           at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:789)
           at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:753)
           at sun.reflect.GeneratedMethodAccessor9.invoke(Unknown Source)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:585)
           at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
           at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
           at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:118)
           at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
           at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:127)
           at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
           at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
           at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
           at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
           at $Proxy6.deploy(Unknown Source)
           at org.jboss.deployment.scanner.URLDeploymentScanner.deploy(URLDeploymentScanner.java:319)
           at org.jboss.deployment.scanner.URLDeploymentScanner.scan(URLDeploymentScanner.java:507)
           at org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.doScan(AbstractDeploymentScanner.java:192)
           at org.jboss.deployment.scanner.AbstractDeploymentScanner.startService(AbstractDeploymentScanner.java:265)
           at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:274)
           at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:230)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:585)
           at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
           at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
           at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
           at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
           at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
           at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:943)
           at $Proxy0.start(Unknown Source)
           at org.jboss.system.ServiceController.start(ServiceController.java:428)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:585)
           at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
           at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
           at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
           at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
           at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
           at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
           at $Proxy4.start(Unknown Source)
           at org.jboss.deployment.SARDeployer.start(SARDeployer.java:285)
           at org.jboss.deployment.MainDeployer.start(MainDeployer.java:989)
           at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:790)
           at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:753)
           at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:737)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:585)
           at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
           at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
           at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:118)
           at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
           at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:127)
           at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
           at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
           at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
           at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
           at $Proxy5.deploy(Unknown Source)
           at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:453)
           at org.jboss.system.server.ServerImpl.start(ServerImpl.java:330)
           at org.jboss.Main.boot(Main.java:187)
           at org.jboss.Main$1.run(Main.java:438)
           at java.lang.Thread.run(Thread.java:595)
          


          since i did not change the AuthenticationInterceptor sources i suspected this might be a bug. any hints?

          best regards
          erich

          • 2. Re: unable to secure jmx invoker
            Carl Abramsson Newbie

            I see the same exception in my 4.0.4GA, but the adaptor seems to be secured.
            I can't use shutdown.bat without setting the correct username and password.