How to secure jmxServer (JConsole)

[farrukh_najmi]

Many thanks for the detailed response! What is the type for the variable registry?

[wims.tijd]

could not find a spring suitable class so:

Code:

public interface AuthenticationRegistry {
	
	Authentication register(String key, Authentication authentication);
	Authentication remove(String key);

}

and :

Code:

private Map<String,Authentication> registry = Collections.synchronizedMap(new HashMap<String,Authentication>());

public Authentication register(String key, Authentication authentication) {
		if(key == null){
			key = authentication.getName();
		}
		return registry.put(key, authentication);
	}

	public Authentication remove(String key) {
		return registry.remove(key);
	}

[farrukh_najmi]

Confirming that the solution posted by wims.tijd involving spring-aop worked like a charm! Thank you wims.tijd you are a lifesaver.

[spalthepu]

Hi,

I am, trying to implement authentication for JMX accsess via Jconsole using JMXMP protocol.
I followed exactly the procedure and implemented a custom JMXAuthenticatorImpl.
My application did call the custom authenticator, but the argument 'credentials has only the URL.
They do not contain the username and password that was entered on the JConsole GUI.
What am I missing?

thanks
Srini

i had the same issue and i've found out by implementing JMXAuthenticator the most flexible way to secure jconsole and authenticate via spring security :

config :

Code:

<util:constant id="jmx.auth.attribute" static-field="javax.management.remote.JMXConnectorServer.AUTHENTICATOR"/>

<bean id="jmx.authenticator" class="wims.cycle.jmx.JmxSecurityAuthenticator"/>

<util:map id="jmx.environment">
		<entry key-ref="jmx.auth.attribute" value-ref="jmx.authenticator"/>
	</util:map>

<bean id="jmx.server" class="org.springframework.jmx.support.MBeanServerFactoryBean"
		p:locateExistingServerIfPossible="false"/>

<bean id="jmx.server.connector" class="org.springframework.jmx.support.ConnectorServerFactoryBean" depends-on="jmx.registry"
		p:server-ref="jmx.server"
		p:objectName="connector:name=rmi"
		p:serviceUrl="service:jmx:rmi://localhost/jndi/rmi://localhost:1099/cycle"
		p:environmentMap-ref="jmx.environment"
/>

JMXAuthenticator :

Code:

public class JmxSecurityAuthenticator implements JMXAuthenticator{

	@Resource
	private AuthenticationManager authMgr;

	public Subject authenticate(Object credentials) {
		try{
			String[] info = (String[]) credentials;
			
			Authentication auth = authMgr.authenticate(new UsernamePasswordAuthenticationToken(info[0],info[1]));
			
			
			Subject s = new Subject();
			s.getPrincipals().add(new JMXPrincipal(auth.getName()));
			return s;
		}catch(Exception e){
			throw new SecurityException(e);
		}
	}

}

[spalthepu]

Confirming that the solution posted by wims.tijd involving spring-aop worked like a charm! Thank you wims.tijd you are a lifesaver.

Hi Farrukh najim

Thanks for the reply.

The solution posted is using RMI protocol (JMX RMI).

p:serviceUrl="service:jmx:rmi://localhost/jndi/rmi://localhost:1099/cycle"

But I am trying to use JMXMP protocol.

service:jmx:jmxmp://localhost:9998

When I followed the procedure suggested by wims.tijd by chaning protocol url, I am seeing some issues.
First, I do see that my custom JMXAuthenticatorImpl is geting called. But the credential object it is geting does not
contain user name or password. It contains only one element in the array, that is the URL.

Application started.
May 26, 2011 12:47:43 PM SocketConnectionServer accept
FINER: Waiting a new connection...
May 26, 2011 12:47:51 PM SocketConnection Constructor
FINER: Creating with a socket Socket[addr=/10.40.141.40,port=2412,localport=9998]
May 26, 2011 12:47:51 PM GenericConnectorServer Receiver.run
FINER: received connection request.
May 26, 2011 12:47:51 PM GenericConnectorServer Receiver.run
FINER: waiting for connection.
May 26, 2011 12:47:51 PM SynchroMessageConnectionServerImpl accept
FINER: Waiting a coming client...
May 26, 2011 12:47:51 PM SocketConnectionServer accept
FINER: Waiting a new connection...
May 26, 2011 12:47:51 PM SocketConnection connect
FINER: First time to connect to the server.
May 26, 2011 12:47:51 PM AdminServer connectionOpen
FINER: >>>>> Handshake Begin <<<<<
May 26, 2011 12:47:51 PM AdminServer connectionOpen
FINER: Server Supported Profiles [ null ]
May 26, 2011 12:47:51 PM AdminServer connectionOpen
FINER: Server JMXMP Version [ 1.0 ]
May 26, 2011 12:47:51 PM SocketConnection writeMessage
FINEST: Write a message ...
May 26, 2011 12:47:51 PM SocketConnection readMessage
FINEST: Read a message ...
May 26, 2011 12:47:51 PM AdminServer connectionOpen
FINER: >>>>> Handshake End <<<<<
May 26, 2011 12:47:51 PM AdminServer connectionOpen
FINER: Client Context Object [ [Ljava.lang.String;@109ea96 ]
*******Inside JMXAuthenticatorImpl******************

CLass Of credential obj=[Ljava.lang.Object;
Elements in the cred array=2
CLass Of credential obj=java.lang.String
name=jmxmp://lchi069094.prod.ad.merc.chicago.cme.com:2412 539419
password=null

When I looked at the source code of the implementation of com.sun.jmx.remote.opt.security.AdminServer that is calling my JMXAuthenticatorImpl
I see it is using something called connectionId to create credential object. AS anyone tried the authentication with JMXMP protocol?

thanks
Srini

[wims.tijd]

Code:

<bean id="jmx.client.connector" class="org.springframework.jmx.support.MBeanServerConnectionFactoryBean"
 			p:serviceUrl="service:jmx:rmi://localhost/jndi/rmi://localhost:1098/stock"
 			p:environmentMap-ref="jmx.remote.environment.map"
 			p:connectOnStartup="false"
 		/>
 		
 		<util:map id="jmx.remote.environment.map">
 			<entry key-ref="jmx.remote.credentials" value="willem:willem"/>
 		</util:map>
 		
 		<util:constant id="jmx.remote.credentials" static-field="javax.management.remote.JMXConnector.CREDENTIALS"/>

[xelroses]

In this article I present guide how to obligate a simple MBean which allows users to alter the aim of a Log4j logger at runtime without the essential to preserve the effort.

The Spring design has transformed only slightly from my previous article to serve testing; the nub remains the identical tho'.



Pontiac Power Steering Gear Box

[maciej.kwiecien]

I have been trying to secure the JConsole access to my stand-alone Java Server which uses Spring 2.5, but it seems anyone that knows the URL and jmx port can access JConsole without being challenged for login credentials. The Sun docs say that by default authentication is enabled, but it seems not...

Working configuration:

Code:

 <util:map id="jmx.environment">
        <entry key="com.sun.management.jmxremote.authenticate" value="true"/>
        <entry key="jmx.remote.x.password.file" value="[Absolute path to file with 600 permissions] "/>
 </util:map>

    <bean depends-on="mbeanServer" id="serverConnector" class="org.springframework.jmx.support.ConnectorServerFactoryBean"
          p:objectName="connector:name=slpRMIConnector"
          p:serviceUrl="service:jmx:rmi://localhost/jndi/rmi://localhost:1099/myConnector" 
      p:environmentMap-ref="jmx.environment" />

jmx.remote.x.password.file property is used in javax.management.remote.rmi.RMIServerImpl.doNewCli ent() method as follows:

Code:

  RMIConnection doNewClient(Object credentials) throws IOException {
    ...
        Subject subject = null;
        JMXAuthenticator authenticator =
            (JMXAuthenticator) env.get(JMXConnectorServer.AUTHENTICATOR);
	if (authenticator == null) {
	    /*
	     * Create the JAAS-based authenticator only if authentication
	     * has been enabled
	     */
	    if (env.get("jmx.remote.x.password.file") != null ||
		env.get("jmx.remote.x.login.config") != null) {
		authenticator = new JMXPluggableAuthenticator(env);
	    }
	}
        if (authenticator != null) {
	    if (tracing) logger.trace("newClient","got authenticator: " +
			       authenticator.getClass().getName());
	    try {
		subject = authenticator.authenticate(credentials);
	    } catch (SecurityException e) {
		logger.trace("newClient", "Authentication failed: " + e);
		throw e;
	    }
        }
...
}

Regards,
Maciej