This is a design thread that Scott Marlow (SMarlow) and I will be using to discuss the JSR-160 integration that Scott is working on. There are some security aspects to be considered in this integration based on the JSR-160 specification.
Studying the JSR-160 specification, in the section III on JMX Remote Connector API:
- Section 13.12 Connector Security
On the server side, when the connectors are created, they are instantiated with JMXAuthenticator. (JMXAuthenticator Javadoc)
If you look at the API for JMXAuthenticator, you will see that there is just one method namely: "Subject authenticate( Object credential )". As you can see, we pass in a credential and then get back an authenticated subject.
The credential can be open ended. Ok, what about the username? Read below:
From the JSR-160 specification, we see that there is a concrete class called as RMIConnector.
- Section 14.4 Basic Security
TBD.