enable authentication with ConnectorServerFactoryBean

[craig]

I need to use ConnectorServerFactoryBean to create the mbeanserver because I need to access jmx behind a firewall, and cannot have the random port thing going.

I set that up with this:
<bean id="mbeanServer" class="org.springframework.jmx.support.MBeanServer FactoryBean">
<!-- indicate to first look for a server -->
<property name="locateExistingServerIfPossible" value="true"/>
</bean>

<bean id="serverConnector"
class="org.springframework.jmx.support.ConnectorSe rverFactoryBean" destroy-method="destroy">
<property name="objectName" value="connector:name=rmi"/>
<property name="serviceUrl"
value="service:jmx:rmi://localhost:8100/jndi/rmi://localhost:8335/server"/>
<property name="server" ref="mbeanServer"/>
</bean>

Is there a way that I can enable authentication for this set up? I took a look at acegi and didn't see how I would integrate that. Can I set properties on the ConnectorServerFactoryBean which will enable authentication?

Any ideas would be much appreciated?

Thanks,
Craig

[Costin Leau]

Yes you can - just use the normal/standard way which is specifying some properties on the ConnectorFactoryBean:

<!-- create the server connector -->
<bean id="serverConnector" ...
<property name="environment">
<prop key="java.naming.security.principal">someUser</prop>
<prop key="java.naming.security.credentials">somePasswor d</prop>
</property>
</bean>

And btw, you don't have to specify the destroy method - the FactoryBean implements the DisposableBean interface so the method is called automatically by the container.

[craig]

I tried what you said specifying those environment variables, but was able to connect with jconsole without specifying credentials.

Here is command i used to connect via jconsole:
jconsole service:jmx:rmi://localhost:8100/jndi/rmi://localhost:8335/server

Here are what I believe are interesting parts of my set up.

Any help is much appreciated.

craig

<bean id="registry" class="org.springframework.remoting.rmi.RmiRegistr yFactoryBean">
<property name="port" value="8335"/>
</bean>

<bean id="mbeanServer" class="org.springframework.jmx.support.MBeanServer FactoryBean">
<property name="locateExistingServerIfPossible" value="true"/>
</bean>

<bean id="serverConnector"
class="org.springframework.jmx.support.ConnectorSe rverFactoryBean" >
<property name="objectName" value="connector:name=rmi"/>
<property name="server" ref="mbeanServer"/>
<property name="serviceUrl" value="service:jmx:rmi://localhost:8100/jndi/rmi://localhost:8335/server" />
<property name="environment">
<props>
<prop key="java.naming.security.principal">user</prop>
<prop key="java.naming.security.credentials">pass</prop>
</props>
</property>
</bean>

[Costin Leau]

My bad, those variables are used when connecting to the server from a client (not when creating a server connector). To enable security for JDK implementation take a look at the samples provided with the JDK - the parameters you're interested in are:

Code:

-Dcom.sun.management.jmxremote.ssl=true       -Dcom.sun.management.jmxremote.authenticate=true

JAAS is used by default and the examples are good in showing how to setup everything.

[craig]

I don't think it works that way. The wrinkle is I have to set up the server connector within Spring, because I need to hard code the port the rmi server uses. Otherwise it picks random ports, and that is a problem when outside a firewall.

i need to do this, and then can open those two ports on the firewall.
<property name="serviceUrl" value="service:jmx:rmi://localhost:8100/jndi/rmi://localhost:8335/server" />

I believe the system properties are only used when the jre sets up the mbean server. If I set up the serverconnector within spring they are ignored. All I need to do is specify that service url within jconsole, and it connects - whether i have the authentication flag system property set or not.

How have others solved this? Seems like a normal use case, needing to access a tomcat instance from behind a firewall with authentication.

Should I be looking at tunneling via ssh instead of the holes in the firewall...and let ssh worry about authentication? Should I be using another transport other than RMI? Can acegi get in the mix here? Does mc4j handle this any better?

Lots of questions, any suggestions would be much appreciated.

craig

[jeroevi]

This is my server connector config (took me a while to find it):

Code:

	<bean id="serverConnector"
		class="org.springframework.jmx.support.ConnectorServerFactoryBean"
		depends-on="registry">
		<!-- property name="objectName" value="connector:name=rmi" / -->
		<property name="serviceUrl"
			value="service:jmx:rmi://localhost/jndi/rmi://localhost:1099/myconnector" />
		<property name="environment">
		<!-- the following is only valid when the sun jmx implementation is used -->
			<map>
				<entry key="jmx.remote.x.password.file" value="etc/security/jmxremote.password"/>
				<entry key="jmx.remote.x.access.file" value="etc/security/jmxremote.access"/>
			</map>
		</property>
	</bean>

The passwd and access file follow the templates that can be found in the C:\jdk1.5.0_03\jre\lib\management folder.

hope this helps

[craig]

that did the trick. thanks a lot for the help, spent a lot of time trying to figure that out, and ended up disabling jmx until you pointed me on correct path.