I need to use ConnectorServerFactoryBean to create the mbeanserver because I need to access jmx behind a firewall, and cannot have the random port thing going.

I set that up with this:
<bean id="mbeanServer" class="org.springframework.jmx.support.MBeanServerFactory Bean">
<!-- indicate to first look for a server -->
<property name="locateExistingServerIfPossible" value="true"/>
</bean>

<bean id="serverConnector"
class="org.springframework.jmx.support.ConnectorServerFac toryBean" destroy-method="destroy">
<property name="objectName" value="connector:name=rmi"/>
<property name="serviceUrl"
value="service:jmx:rmi://localhost:8100/jndi/rmi://localhost:8335/server"/>
<property name="server" ref="mbeanServer"/>
</bean>

Is there a way that I can enable authentication for this set up? I took a look at acegi and didn't see how I would integrate that. Can I set properties on the ConnectorServerFactoryBean which will enable authentication?

Any ideas would be much appreciated?

Thanks,
Craig

Yes you can - just use the normal/standard way which is specifying some properties on the ConnectorFactoryBean:


<!-- create the server connector -->
<bean id="serverConnector" ...
<property name="environment">
<prop key="java.naming.security.principal">someUser</prop>
<prop key="java.naming.security.credentials">somePassword</prop>
</property>
</bean>

And btw, you don't have to specify the destroy method - the FactoryBean implements the DisposableBean interface so the method is called automatically by the container.

I tried what you said specifying those environment variables, but was able to connect with jconsole without specifying credentials.

Here is command i used to connect via jconsole:
jconsole service:jmx:rmi://localhost:8100/jndi/rmi://localhost:8335/server

Here are what I believe are interesting parts of my set up.

Any help is much appreciated.

craig

<bean id="registry" class="org.springframework.remoting.rmi.RmiRegistryFactor yBean">
<property name="port" value="8335"/>
</bean>

<bean id="mbeanServer" class="org.springframework.jmx.support.MBeanServerFactory Bean">
<property name="locateExistingServerIfPossible" value="true"/>
</bean>

<bean id="serverConnector"
class="org.springframework.jmx.support.ConnectorServerFac toryBean" >
<property name="objectName" value="connector:name=rmi"/>
<property name="server" ref="mbeanServer"/>
<property name="serviceUrl" value="service:jmx:rmi://localhost:8100/jndi/rmi://localhost:8335/server" />
<property name="environment">
<props>
<prop key="java.naming.security.principal">user</prop>
<prop key="java.naming.security.credentials">pass</prop>
</props>
</property>
</bean>

My bad, those variables are used when connecting to the server from a client (not when creating a server connector). To enable security for JDK implementation take a look at the samples provided with the JDK - the parameters you're interested in are:


-Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.authenticate=true


JAAS is used by default and the examples are good in showing how to setup everything.

I don't think it works that way. The wrinkle is I have to set up the server connector within Spring, because I need to hard code the port the rmi server uses. Otherwise it picks random ports, and that is a problem when outside a firewall.

i need to do this, and then can open those two ports on the firewall.
<property name="serviceUrl" value="service:jmx:rmi://localhost:8100/jndi/rmi://localhost:8335/server" />

I believe the system properties are only used when the jre sets up the mbean server. If I set up the serverconnector within spring they are ignored. All I need to do is specify that service url within jconsole, and it connects - whether i have the authentication flag system property set or not.

How have others solved this? Seems like a normal use case, needing to access a tomcat instance from behind a firewall with authentication.

Should I be looking at tunneling via ssh instead of the holes in the firewall...and let ssh worry about authentication? Should I be using another transport other than RMI? Can acegi get in the mix here? Does mc4j handle this any better?

Lots of questions, any suggestions would be much appreciated.

craig

This is my server connector config (took me a while to find it):


<bean id="serverConnector"
class="org.springframework.jmx.support.ConnectorServerFac toryBean"
depends-on="registry">
<!-- property name="objectName" value="connector:name=rmi" / -->
<property name="serviceUrl"
value="service:jmx:rmi://localhost/jndi/rmi://localhost:1099/myconnector" />
<property name="environment">
<!-- the following is only valid when the sun jmx implementation is used -->
<map>
<entry key="jmx.remote.x.password.file" value="etc/security/jmxremote.password"/>
<entry key="jmx.remote.x.access.file" value="etc/security/jmxremote.access"/>
</map>
</property>
</bean>

The passwd and access file follow the templates that can be found in the C:\jdk1.5.0_03\jre\lib\management folder.

hope this helps

that did the trick. thanks a lot for the help, spent a lot of time trying to figure that out, and ended up disabling jmx until you pointed me on correct path.