Spring JMX and OC4J/10g r3, Unauthorized access from application

Anyone managed to use the mbean exporter in Spring to create MBeans in the OC4J MBeanServer?

The same thing works no problem in JBoss.

I'm getting the following.

java.lang.SecurityException: Unauthorized access from application: ice-crem to MBean: java.lang:type=ClassLoading
at oracle.oc4j.admin.jmx.shared.UserMBeanServer.check RegisterAccess(UserMBeanServer.java:873)
at oracle.oc4j.admin.jmx.shared.UserMBeanServer.regis terMBean(UserMBeanServer.java:400)
at oracle.oc4j.admin.jmx.server.state.LocalizationFil terMBeanServer.registerMBean(LocalizationFilterMBe anServer.java:341)
at sun.management.ManagementFactory$1.run(ManagementF actory.java:240)
at java.security.AccessController.doPrivileged(Native Method)

I got this exception using the "autodetect=true" property from MBeanExporter. There is still an issue, I don,t know if from Spring side or OC4J. I workarounded it using autodetect=false and explicitly defining my MBeans with

Code:

---

                <property name="beans">
              <map>
                <entry key=":name=theBeanName" value-ref="theBean"/>
              </map>
            </property>

---

take look in this post

Umm....nope. Still get error.

Looks like yet another special "feature" in an Oracle product.

I am pretty sure that I also don't want to define my own MBeanServer. I want to use JMX as the communication mechanism between components deployed into OC4J/10gR3.

I'll give that a try anyway, i.e. deploying own MBeanServer.

I'm also not specifying the VM startup params for JMX, i.e. where the JDK starts an MBeanServer since I figure that I want to communicate with the one started by OC4J/10gR3.

Anyone?

You can also try adding a default domain to your "application" MBeans

<bean id="MBeanServer"
class="org.springframework.jmx.support.MBeanServer FactoryBean">
<property name="defaultDomain" value="PetClinic"/>
</bean>

JIM

Did you ever get something working in 10gAS R3? If so could you a post a summary of the solution here?

I'm trying to do the same thing. My JMX beans work fine under JBoss, but under 10gAS R3 I get:

oracle.oc4j.admin.internal.DeployerException: org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name 'exporter' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Initialization of bean failed; nested exception is org.springframework.jmx.MBeanServerNotFoundExcepti on: Unable to locate an MBeanServer instance
07/02/21 10:56:39 at oracle.oc4j.admin.internal.WebApplicationBinder.bi ndWebApp(WebApplicationBinder.java:214)
07/02/21 10:56:39 at oracle.oc4j.admin.internal.WebApplicationBinder.bi ndWebApp(WebApplicationBinder.java:96)
07/02/21 10:56:39 at oracle.oc4j.admin.internal.ApplicationDeployer.bin dWebApp(ApplicationDeployer.java:541)
07/02/21 10:56:39 at oracle.oc4j.admin.internal.ApplicationDeployer.doD eploy(ApplicationDeployer.java:197)
07/02/21 10:56:39 at oracle.oc4j.admin.internal.DeployerBase.execute(De ployerBase.java:93)
07/02/21 10:56:39 at oracle.oc4j.admin.jmx.server.mbeans.deploy.OC4JDep loyerRunnable.doRun(OC4JDeployerRunnable.java:52)
07/02/21 10:56:39 at oracle.oc4j.admin.jmx.server.mbeans.deploy.Deploye rRunnable.run(DeployerRunnable.java:81)
07/02/21 10:56:39 at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Wo rker.run(PooledExecutor.java:819)
07/02/21 10:56:39 at java.lang.Thread.run(Thread.java:595)

Looking at the Oracle AS documentation, applications have to call MBeanServerFactory.newBeanServer() with no specified domain. The applications can only use the default domain of this server instance to register beans, otherwise it throws a Security Exception. This domain is the application's "namespace", entered when deploying a .war/.ear file using the 10gAS Enterprise Manager deployment screens.

I've solved this myself, so I'll post the solution here that might be of interest to others. Another issue I had is that I need one application context configuration to work under both JBoss and 10gAS.

Using the MBeanServerFactoryBean with locateExistingServerIfPossible set to true solves the MBeanServer instantiation issue (but still works on JBoss).

To get around the domain security problem, register beans with no domain (it will then use the default domain). For example, I have defined "jmx.domain" in an external property file. For JBoss, this needs to be set to something descriptive and unique. For 10gAS, this setting needs to be blank.

My application context looks like:

Code:

---

<bean id="mbeanserver" class="org.springframework.jmx.support.MBeanServerFactoryBean">
  <property name="locateExistingServerIfPossible" value="true"/>
</bean>
 
<bean id="exporter" class="org.springframework.jmx.export.MBeanExporter" lazy-init="false">
  <property name="server" ref="mbeanserver"/>
  <property name="beans">
    <map>
      <entry key="${jmx.domain}:name=Monitoring" value-ref="monitoring"/>
      <entry key="${jmx.domain}:name=Caching" value-ref="caching"/>
      <entry key="${jmx.domain}:name=Configuration" value-ref="configuration"/>
    </map>
  </property>
</bean>

---

I can confirm this works under JBoss 4.0.4 and Oracle 10g R3 AS (10.1.3.0.0)

By the way, my solution listed in my last post works in Spring 1.2.5, but not in Spring 2.0.2. The issue is that Spring 2.x falls back to attempting to use the Java SE 5 Platform MBeanServer, before deciding to create a new MBeanServer. This throws a security exception.

This is bad - JMX is on my task list in the next week - and guess what "favorite" AppServer we are using: OC4J ...


Any news on this?

Quote:

---

Originally Posted by ArtMotion

This is bad - JMX is on my task list in the next week - and guess what "favorite" AppServer we are using: OC4J ...


Any news on this?

---

I reported the Spring 2.0.2 issue as a fault (SPR-3226) which Juergen very promptly fixed in Spring 2.0.3.

Another "gotcha" I found - in 10gAS the default MBean domain applies to an entire application (.ear file) not per .war/.jar (inside a single .ear file). So if you have MBeans with the same name you will need to add a suffix to make the name unique ;)

Are you using the magic command...

-Doc4j.jmx.security.proxy.off=true

as a VM argument.