4 Replies Latest reply on Mar 28, 2002 6:08 AM by MR

    Securing the jmx management interface

    Pandu Newbie

      Hi
      I am trying to secure the JMX management console on port 8082. Ideally I would want like a user name/pwd authentication for this and also show only the necessary Mbeans. Any suggestions?
      thanks

        • 1. Re: Securing the jmx management interface
          Adrian Brock Master

          The MBean interface for Sun's adaptor includes something
          for http security.
          This isn't very secure.
          I don't know how to configure it, I haven't investigated. :-(

          I've considered writing a .ear with a JSP/SSL front-end
          over our ejb adaptor to give a more secure approach.
          I haven't got around to it yet.
          My other motivation is to use this project to learn JSP :-)

          Regards,
          Adrian

          • 2. Re: Securing the jmx management interface
            Ben Eng Newbie

            Without a mechanism to secure the admin console, the entire application server is wide open to exploits. This is a pretty serious problem.

            Is there no way of addressing this today, short of completely disabling the "Adaptor:name=html" MBean?

            • 3. Re: Securing the jmx management interface
              Juha Lindfors Master

              The mechanism Adrian was referring to is mentioned in the javadoc of Sun's HTTP Adaptor.

              The HtmlAdaptorServer can perform user authentication. The add/remove user authentication info methods can be used to manage users and their corresponding authentication information. The HTML server uses the 'Basic Authentication Scheme' (as defined in RFC 1945, section 11.1) to authenticate clients connecting to the server.


              public void addUserAuthenticationInfo(AuthInfo authinfo)
              Adds the authentication information of the user to be authenticated by this server. In order to populate the list of users supported by this server, invoke this method for each user you want to add. If the user already exists, then update his authentication information.


              And as he said, it isn't terribly secure, so I would still recommend it only to be used from within a firewall that blocks outsiders trying to get to port 8082.

              • 4. Re: Securing the jmx management interface
                MR Newbie

                I created a MBean which registers the SUM JmxHtmlAdaptor with security turned on.

                You can find mine as a patch in sourceforg:

                http://sourceforge.net/tracker/?func=detail&atid=376687&aid=533737&group_id=22866

                --Marcus