2 Replies Latest reply on Oct 13, 2004 9:09 AM by Craig Berry

    Looking up JMX server through JNDI poisons security

    Craig Berry Newbie

      I have an extraordinarily weird problem with an interaction between JMX, JNDI, and security in JBoss 3.2.5.

      In the working version of my app, we look up mbeans from servlets and EJBs using this code to get the mbean server:

      return (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0);
      


      This works as expected. However, I want to move to a clustered JBoss setup, so I need to be able to use the HASingleton lookup pattern for global mbeans. I decided to try this on a single system first, using simple JNDI lookup to get the RMIAdaptor (which offers the same methods as MBeanServer):

      InitialContext ctx = new InitialContext();
      return (RMIAdaptor) ctx.lookup("jmx/invoker/RMIAdaptor");
      


      That appears to work fine, too, in the sense that I get an mbean server object back and can perform operations on it invoking mbean operations.

      However, if I use the JNDI form, suddenly the transfer of JAAS authentication info from my servlet to my EJB tier stops working for subsequent calls! All attempts to access EJBs requiring a particular role fail with principal=null errors. If I swap my mbean server lookup strategy back, then bean lookups requiring security start working again.

      I am at my wit's end on this. I can't imagine how the mbean server lookup through JNDI can possibly be "poisoning" my EJB lookups, yet it's happening with 100% reproducibility.

      Any help understanding and fixing this problem would be greatly appreciated!