3 Replies Latest reply on Apr 7, 2007 4:24 AM by rzorzorzo

    fine grain authorisation with JSR 160


      hi all,

      I have been reading the following doc about JSR 160. The major point being the fine grain authorisation based at the MBeans level.

      This JSR depends on features introduced in the 1.2 version of the JMX API. Proxies simplify client-side programming. Per-MBean permissions provide fine-grained security control on the server side.


      I cant seem to find any examples doing this with JBossMX.

      So firstly does JBossMX support JSR 160?
      If not i want to plug in another web console like ajax4jmx and somehow utilise security realm on the web console.

      any help or ideas are most appreciated.


        • 1. Re: fine grain authorisation with JSR 160

          JBossMX does not implement JSR160, however, when you use jdk5 you should be able to use the jdk5 implementation of jsr160. I'm not aware of some examples how to do this, expect maybe for using jconsole to connect to a jvm running jboss. If you look in the wiki you'll find a couple of examples for this.

          • 2. Re: fine grain authorisation with JSR 160

            i really need a JMX web based console not a remote client console.

            how can one achieve fine grain authorisation using JBossMX and a 3rd party web console?

            by fine grain authoristion i mean, user 'A' can only modify attribute 'a' on MBean 'AA' but read all other attributes on MBean 'A'.

            I was hoping to utilise the existing security and roles for other web application running on JBoss. However it seems that web-console will need to implement the authorisation itself. Is that reasonable?


            can the JBossMX be replaced by a 3rd party JMX server that does offer JSR160 security?

            how have other solved authorisation issues on JBossMX?

            many thanks


            • 3. Re: fine grain authorisation with JSR 160

              using http://sourceforge.net/project/stats/?group_id=143425&ugn=rzomx
              you can connect to jboss using rmi.
              all mbeans of jboss are then transparently visible in rzomx and you may invoke all operations as if the mbeans were within rzomx. the only difference is that the domain of the mbean will have a prefix: <some name>/<jboss-domain>.

              since rzomx is based on mx4j you may use the security of jsr160.

              within rzomx you may use any of the http adapters available. for example mx4j http adapter, rzomx http adapter, ajax4jmx.

              if you have further questions post them on the rzomx site.