JMX Authentication with Spring Security (3.1.x)

Printable View

Jan 24th, 2013, 01:41 AM
northernpole

JMX Authentication with Spring Security (3.1.x)

Hi,

I have a JMX server configured without Spring and am trying to implement Spring Security for the Authorization part.
(See here, https://blogs.oracle.com/lmalventosa..._authorization
Use Case 4, without the Authorization part)

I would like now to implement the Authorization part using Spring Security.

In my JMX authenticator, I do:

Code:

final List<GrantedAuthority> roles = new ArrayList<GrantedAuthority>(); roles.add(new SimpleGrantedAuthority("ROLE_ADMIN")); final Authentication auth = new UsernamePasswordAuthenticationToken(credentialsArr[0], credentialsArr[1], roles); SecurityContextHolder.getContext().setAuthentication(auth);

And in the MBeans I try to fetch it and see that it has been passed correctly (in the future I plan to add Spring Annotations to check for roles, for method invocation).

Code:

final Authentication springAuth = SecurityContextHolder.getContext().getAuthentication();

The problem is, that in the standard connection flow:

Code:

JMXServiceURL url = ...; Map env = ...; String[] creds = {"monitorRole", "mrpasswd", "FileRealm"}; env.put(JMXConnector.CREDENTIALS, creds); JMXConnector cc = JMXConnectorFactory.connect(url, env); MBeanServerConnection mbsc = cc.getMBeanServerConnection();

I get a JMX connector, then connect to the MBean server and invoke a method - it works.
I get through the authenticator, set the Spring Context and get it in the Mbean.

But when I connect using a Jconsole, for example, I don't get the Spring Context in the Mbean.

I am using the Inheritable Thread strategy.

1. Is there a way to get the context also in the MBean, when connecting using the JConsole and other connectors?
2. If I implement JMX using Spring, will it help me to solve the problem?
3. Is my main flow fool proof (is there a chance I will not get the Context in the MBean)? I am asking this, since this flow is critical to me, to be fool proof.

Thanks a lot!
Jan 31st, 2013, 03:01 AM
northernpole

Guys, would be happy to get an answer, if someone knows.

Thanks!
Feb 4th, 2013, 12:31 PM
wims.tijd

check my solution http://forum.springsource.org/showth...ver-(JConsole)
Feb 4th, 2013, 01:40 PM
northernpole

Quote:

Originally Posted by wims.tijd

check my solution http://forum.springsource.org/showth...ver-(JConsole)

Thanks a lot!
I have actually seen this solution, but I was wondering if there is another way (something that isn't a workaround to make Spring to work).

I have a question, though, regarding this solution:
Why do you keep a registry? Why don't you use the Authentication object you pass in the Subject?

Thanks a lot again!
Feb 6th, 2013, 07:41 AM
northernpole

Quote:

Originally Posted by northernpole

Thanks a lot!
I have actually seen this solution, but I was wondering if there is another way (something that isn't a workaround to make Spring to work).

I have a question, though, regarding this solution:
Why do you keep a registry? Why don't you use the Authentication object you pass in the Subject?

Thanks a lot again!

May I also add an additional question:
How do you define a pointcut on the MBeanServer invoke method that actually works?
The code you suggested doesn't work with pure Spring AOP, unfortunately.

Thanks!
Feb 15th, 2013, 02:31 AM
wims.tijd

@northernpole

I kept a registry to hold on to the authenticated Authentication for subsequent calls,
this was a quick way, there can be other logic of course;

For the aop advice : have to defined ?

Code:

<context:mbean-server id="jmx.server"/>