How to secure jmxServer (JConsole)

[bwelnack]

I have been trying to secure the JConsole access to my stand-alone Java Server which uses Spring 2.5, but it seems anyone that knows the URL and jmx port can access JConsole without being challenged for login credentials. The Sun docs say that by default authentication is enabled, but it seems not.

http://java.sun.com/j2se/1.5.0/docs/...tml#connecting

Anyway, I have been trying to secure it via spring-jmx-config.xml, since providing JVM parms when launching the server has no effect. Am I on the right track or can somebody tell me what I am doing wrong? The doc says if you give it a non-existent password location you will not have access, but JConsole continues to be wide open...

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans-2.0.dtd">
<beans>
<bean class="org.springframework.remoting.rmi.RmiRegistr yFactoryBean">
<property name="port" value="17999"/>
</bean>

<bean id="jmxServer" class="org.springframework.jmx.support.ConnectorSe rverFactoryBean">
<property name="serviceUrl" value="service:jmx:rmi://localhost/jndi/rmi://localhost:17999/Pipeline"/>
<property name="registrationBehaviorName" value="REGISTRATION_REPLACE_EXISTING"/>
<property name="environmentMap">
<map>
<entry key="com.sun.management.jmxremote.authenticate" value-ref="true"/>
<entry key="com.sun.management.jmxremote.password.file" value-ref="foo"/>
</map>
</property>
</bean>

<bean id="mbeanExporter" class="org.springframework.jmx.export.MBeanExporte r">
....
</bean>

</beans>

Thanks in advance to anyone who can point me in the right direction.

[wims.tijd]

i had the same issue and i've found out by implementing JMXAuthenticator the most flexible way to secure jconsole and authenticate via spring security :

config :

Code:

<util:constant id="jmx.auth.attribute" static-field="javax.management.remote.JMXConnectorServer.AUTHENTICATOR"/>

<bean id="jmx.authenticator" class="wims.cycle.jmx.JmxSecurityAuthenticator"/>

<util:map id="jmx.environment">
		<entry key-ref="jmx.auth.attribute" value-ref="jmx.authenticator"/>
	</util:map>

<bean id="jmx.server" class="org.springframework.jmx.support.MBeanServerFactoryBean"
		p:locateExistingServerIfPossible="false"/>

<bean id="jmx.server.connector" class="org.springframework.jmx.support.ConnectorServerFactoryBean" depends-on="jmx.registry"
		p:server-ref="jmx.server"
		p:objectName="connector:name=rmi"
		p:serviceUrl="service:jmx:rmi://localhost/jndi/rmi://localhost:1099/cycle"
		p:environmentMap-ref="jmx.environment"
/>

JMXAuthenticator :

Code:

public class JmxSecurityAuthenticator implements JMXAuthenticator{

	@Resource
	private AuthenticationManager authMgr;

	public Subject authenticate(Object credentials) {
		try{
			String[] info = (String[]) credentials;
			
			Authentication auth = authMgr.authenticate(new UsernamePasswordAuthenticationToken(info[0],info[1]));
			
			
			Subject s = new Subject();
			s.getPrincipals().add(new JMXPrincipal(auth.getName()));
			return s;
		}catch(Exception e){
			throw new SecurityException(e);
		}
	}

}

[bwelnack]

I tried the JMXAuthenticator approach which was posted, but it seems the poster is using a version of Spring different than 2.5? I am getting errors on the environment map properties for ConnectorServerFactoryBean. Does anyone know where these properties are documented? I am not seeing them documented anywhere...

[wims.tijd]

which errors ?

i've used JMXAuthenticator against
spring pre-2.5 era , spring 2.5 till 2.5.6 and post-2.5 (current 3.0.0.M3)

[wims.tijd]

Doc says :
The secure JMX server will be running on port 9998.
so should this be
service:jmx:rmi:///jndi/rmi://localhost:9998/JMXSecureConnector ?
or is the connector opened at port 1099 ?

[farrukh_najmi]

Here is some info on my experience with getting the authentication part to work...

In case any one else was confused about what "p:" namespace prefix refers to here is a useful ref:

http://blog.springsource.com/2006/11...-in-spring-20/

You will need to declare both the "util:" and "p:" namespace in the bean config file. Here is what eventually worked for me after much trial and error...

Code:

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:p="http://www.springframework.org/schema/p"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-2.0.xsd
                           http://www.springframework.org/schema/security http://www.springframework.org/schem...curity-2.0.xsd
       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">
    

    <!-- JXM Authentication -->
    <util:constant id="jmx.auth.attribute" static-field="javax.management.remote.JMXConnectorServer.AUTHENTICATOR"/>

    <bean id="jmx.authenticator" class="my.impl.package.JMXAuthenticatorImpl">
        <property name="authManager" ref="_authenticationManager"/>
    </bean>

    <util:map id="jmx.environment">
        <entry key-ref="jmx.auth.attribute" value-ref="jmx.authenticator"/>
    </util:map>

    <bean id="jmx.server" class="org.springframework.jmx.support.MBeanServerFactoryBean"
                    p:locateExistingServerIfPossible="true"/>

    <bean id="jmx.server.connector" class="org.springframework.jmx.support.ConnectorServerFactoryBean" depends-on="jmx.registry"
                    p:server-ref="jmx.server"
                    p:objectName="connector:name=rmi"
                    p:serviceUrl="service:jmx:rmi://localhost/jndi/rmi://localhost:1099/jmxRMIConnector"
                    p:environmentMap-ref="jmx.environment"
    />

    <!-- Needed to declare the following -->
    <bean id="jmx.registry" class="org.springframework.remoting.rmi.RmiRegistryFactoryBean">
        <property name="port" value="1099"/>
    </bean>

</beans>

[spalthepu]

Hi,

I am, trying to implement authentication for JMX accsess via Jconsole using JMXMP protocol.
I followed exactly the procedure and implemented a custom JMXAuthenticatorImpl.
My application did call the custom authenticator, but the argument 'credentials has only the URL.
They do not contain the username and password that was entered on the JConsole GUI.
What am I missing?

thanks
Srini

i had the same issue and i've found out by implementing JMXAuthenticator the most flexible way to secure jconsole and authenticate via spring security :

config :

Code:

<util:constant id="jmx.auth.attribute" static-field="javax.management.remote.JMXConnectorServer.AUTHENTICATOR"/>

<bean id="jmx.authenticator" class="wims.cycle.jmx.JmxSecurityAuthenticator"/>

<util:map id="jmx.environment">
		<entry key-ref="jmx.auth.attribute" value-ref="jmx.authenticator"/>
	</util:map>

<bean id="jmx.server" class="org.springframework.jmx.support.MBeanServerFactoryBean"
		p:locateExistingServerIfPossible="false"/>

<bean id="jmx.server.connector" class="org.springframework.jmx.support.ConnectorServerFactoryBean" depends-on="jmx.registry"
		p:server-ref="jmx.server"
		p:objectName="connector:name=rmi"
		p:serviceUrl="service:jmx:rmi://localhost/jndi/rmi://localhost:1099/cycle"
		p:environmentMap-ref="jmx.environment"
/>

JMXAuthenticator :

Code:

public class JmxSecurityAuthenticator implements JMXAuthenticator{

	@Resource
	private AuthenticationManager authMgr;

	public Subject authenticate(Object credentials) {
		try{
			String[] info = (String[]) credentials;
			
			Authentication auth = authMgr.authenticate(new UsernamePasswordAuthenticationToken(info[0],info[1]));
			
			
			Subject s = new Subject();
			s.getPrincipals().add(new JMXPrincipal(auth.getName()));
			return s;
		}catch(Exception e){
			throw new SecurityException(e);
		}
	}

}

[maciej.kwiecien]

I have been trying to secure the JConsole access to my stand-alone Java Server which uses Spring 2.5, but it seems anyone that knows the URL and jmx port can access JConsole without being challenged for login credentials. The Sun docs say that by default authentication is enabled, but it seems not...

Working configuration:

Code:

 <util:map id="jmx.environment">
        <entry key="com.sun.management.jmxremote.authenticate" value="true"/>
        <entry key="jmx.remote.x.password.file" value="[Absolute path to file with 600 permissions] "/>
 </util:map>

    <bean depends-on="mbeanServer" id="serverConnector" class="org.springframework.jmx.support.ConnectorServerFactoryBean"
          p:objectName="connector:name=slpRMIConnector"
          p:serviceUrl="service:jmx:rmi://localhost/jndi/rmi://localhost:1099/myConnector" 
      p:environmentMap-ref="jmx.environment" />

jmx.remote.x.password.file property is used in javax.management.remote.rmi.RMIServerImpl.doNewCli ent() method as follows:

Code:

  RMIConnection doNewClient(Object credentials) throws IOException {
    ...
        Subject subject = null;
        JMXAuthenticator authenticator =
            (JMXAuthenticator) env.get(JMXConnectorServer.AUTHENTICATOR);
	if (authenticator == null) {
	    /*
	     * Create the JAAS-based authenticator only if authentication
	     * has been enabled
	     */
	    if (env.get("jmx.remote.x.password.file") != null ||
		env.get("jmx.remote.x.login.config") != null) {
		authenticator = new JMXPluggableAuthenticator(env);
	    }
	}
        if (authenticator != null) {
	    if (tracing) logger.trace("newClient","got authenticator: " +
			       authenticator.getClass().getName());
	    try {
		subject = authenticator.authenticate(credentials);
	    } catch (SecurityException e) {
		logger.trace("newClient", "Authentication failed: " + e);
		throw e;
	    }
        }
...
}

Regards,
Maciej