Spring JMX and OC4J/10g r3, Unauthorized access from application [Archive]

View Full Version : Spring JMX and OC4J/10g r3, Unauthorized access from application

gmatthews

Aug 10th, 2006, 12:21 AM

Anyone managed to use the mbean exporter in Spring to create MBeans in the OC4J MBeanServer?

The same thing works no problem in JBoss.

I'm getting the following.

java.lang.SecurityException: Unauthorized access from application: ice-crem to MBean: java.lang:type=ClassLoading
at oracle.oc4j.admin.jmx.shared.UserMBeanServer.check RegisterAccess(UserMBeanServer.java:873)
at oracle.oc4j.admin.jmx.shared.UserMBeanServer.regis terMBean(UserMBeanServer.java:400)
at oracle.oc4j.admin.jmx.server.state.LocalizationFil terMBeanServer.registerMBean(LocalizationFilterMBe anServer.java:341)
at sun.management.ManagementFactory$1.run(ManagementF actory.java:240)
at java.security.AccessController.doPrivileged(Native Method)

ragnarokkrr

Aug 10th, 2006, 02:27 PM

I got this exception using the "autodetect=true" property from MBeanExporter. There is still an issue, I don,t know if from Spring side or OC4J. I workarounded it using autodetect=false and explicitly defining my MBeans with

<property name="beans">
<map>
<entry key=":name=theBeanName" value-ref="theBean"/>
</map>
</property>

take look in this post (http://forum.springframework.org/showthread.php?t=27935)

gmatthews

Aug 10th, 2006, 06:01 PM

Umm....nope. Still get error.

Looks like yet another special "feature" in an Oracle product.

I am pretty sure that I also don't want to define my own MBeanServer. I want to use JMX as the communication mechanism between components deployed into OC4J/10gR3.

I'll give that a try anyway, i.e. deploying own MBeanServer.

I'm also not specifying the VM startup params for JMX, i.e. where the JDK starts an MBeanServer since I figure that I want to communicate with the one started by OC4J/10gR3.

Anyone?

slimslenderslacks

Oct 6th, 2006, 07:58 PM

You can also try adding a default domain to your "application" MBeans

<bean id="MBeanServer"
class="org.springframework.jmx.support.MBeanServerFactory Bean">
<property name="defaultDomain" value="PetClinic"/>
</bean>

JIM

nappinc

Feb 21st, 2007, 05:07 AM

Did you ever get something working in 10gAS R3? If so could you a post a summary of the solution here?

I'm trying to do the same thing. My JMX beans work fine under JBoss, but under 10gAS R3 I get:

oracle.oc4j.admin.internal.DeployerException: org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name 'exporter' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Initialization of bean failed; nested exception is org.springframework.jmx.MBeanServerNotFoundExcepti on: Unable to locate an MBeanServer instance
07/02/21 10:56:39 at oracle.oc4j.admin.internal.WebApplicationBinder.bi ndWebApp(WebApplicationBinder.java:214)
07/02/21 10:56:39 at oracle.oc4j.admin.internal.WebApplicationBinder.bi ndWebApp(WebApplicationBinder.java:96)
07/02/21 10:56:39 at oracle.oc4j.admin.internal.ApplicationDeployer.bin dWebApp(ApplicationDeployer.java:541)
07/02/21 10:56:39 at oracle.oc4j.admin.internal.ApplicationDeployer.doD eploy(ApplicationDeployer.java:197)
07/02/21 10:56:39 at oracle.oc4j.admin.internal.DeployerBase.execute(De ployerBase.java:93)
07/02/21 10:56:39 at oracle.oc4j.admin.jmx.server.mbeans.deploy.OC4JDep loyerRunnable.doRun(OC4JDeployerRunnable.java:52)
07/02/21 10:56:39 at oracle.oc4j.admin.jmx.server.mbeans.deploy.Deploye rRunnable.run(DeployerRunnable.java:81)
07/02/21 10:56:39 at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Wo rker.run(PooledExecutor.java:819)
07/02/21 10:56:39 at java.lang.Thread.run(Thread.java:595)

Looking at the Oracle AS documentation, applications have to call MBeanServerFactory.newBeanServer() with no specified domain. The applications can only use the default domain of this server instance to register beans, otherwise it throws a Security Exception. This domain is the application's "namespace", entered when deploying a .war/.ear file using the 10gAS Enterprise Manager deployment screens.

nappinc

Feb 21st, 2007, 06:34 AM

I've solved this myself, so I'll post the solution here that might be of interest to others. Another issue I had is that I need one application context configuration to work under both JBoss and 10gAS.

Using the MBeanServerFactoryBean with locateExistingServerIfPossible set to true solves the MBeanServer instantiation issue (but still works on JBoss).

To get around the domain security problem, register beans with no domain (it will then use the default domain). For example, I have defined "jmx.domain" in an external property file. For JBoss, this needs to be set to something descriptive and unique. For 10gAS, this setting needs to be blank.

My application context looks like:

<bean id="mbeanserver" class="org.springframework.jmx.support.MBeanServerFactory Bean">
<property name="locateExistingServerIfPossible" value="true"/>
</bean>

<bean id="exporter" class="org.springframework.jmx.export.MBeanExporter" lazy-init="false">
<property name="server" ref="mbeanserver"/>
<property name="beans">
<map>
<entry key="${jmx.domain}:name=Monitoring" value-ref="monitoring"/>
<entry key="${jmx.domain}:name=Caching" value-ref="caching"/>
<entry key="${jmx.domain}:name=Configuration" value-ref="configuration"/>
</map>
</property>
</bean>

I can confirm this works under JBoss 4.0.4 and Oracle 10g R3 AS (10.1.3.0.0)

nappinc

Mar 2nd, 2007, 04:50 AM

By the way, my solution listed in my last post works in Spring 1.2.5, but not in Spring 2.0.2. The issue is that Spring 2.x falls back to attempting to use the Java SE 5 Platform MBeanServer, before deciding to create a new MBeanServer. This throws a security exception.

ArtMotion

Mar 22nd, 2007, 08:56 AM

This is bad - JMX is on my task list in the next week - and guess what "favorite" AppServer we are using: OC4J ...

Any news on this?

nappinc

Mar 22nd, 2007, 09:08 AM

This is bad - JMX is on my task list in the next week - and guess what "favorite" AppServer we are using: OC4J ...

Any news on this?

I reported the Spring 2.0.2 issue as a fault (SPR-3226) which Juergen very promptly fixed in Spring 2.0.3.

Another "gotcha" I found - in 10gAS the default MBean domain applies to an entire application (.ear file) not per .war/.jar (inside a single .ear file). So if you have MBeans with the same name you will need to add a suffix to make the name unique ;)

gmatthews

Mar 26th, 2007, 12:50 AM

Are you using the magic command...

-Doc4j.jmx.security.proxy.off=true

as a VM argument.

DnlCY

Sep 18th, 2007, 12:48 PM

Are you using the magic command...

-Doc4j.jmx.security.proxy.off=true

as a VM argument.

I had similar problem and this command was the solution. Tnks

bchi49

Jun 11th, 2009, 08:23 AM

What's the alternative to using the command line? thanks. Is there something that needs to be done on the deployment descriptor or security settings?

gmatthews

Jun 11th, 2009, 06:17 PM

Just guessing, but since it's just a -D param, you could possibly also set it programmatically, e.g. System.getProperties().put("oc4j.jmx.security.proxy.off", "true");

however haven't tried that, and not sure if it would work -- depends on how early in the startup process you manage to programmatically set it.

bchi49

Jun 11th, 2009, 06:24 PM

I tried something like that via OC4J enterprise manager, but I think it's too late at that point.

I want to avoid disabling that security feature if possible, but not sure how to configure spring to login to the JMX Bean server.