JMX Invoker security should use a role to control security ---------------------------------------------------------- Key: JBAS-5092 URL: http://jira.jboss.com/jira/browse/JBAS-5092 Project: JBoss Application Server Issue Type: Feature Request Security Level: Public (Everyone can see) Components: JMX Affects Versions: JBossAS-4.2.0.GA Reporter: Stephen Burdeau Assigned To: Dimitris Andreadis The JMX Invoker is secured using the security domain java:/jaas/jmx-console. However, there appears to be no way to specify a particular role (e.g., JBossAdmin). This means that if a "userA" is added to the jmx-console-users.properties file, but "userA" is not added to any role, "userA" still has the privilege to perform JMX invoker requests, such as shutdown. Obviously one solution in this case is to not add "userA" to the jmx-console-users.properties file. However, the problem is more acute when a custom login module is developed. For example, a system administrator could develop a custom login module which validates a user against the operating system userid and password. The custom login module then uses another mechanism (e.g., flat file or database) to define the roles allowed for each user. However, since no role is required, any valid user on the system (e.g., "guest") would be granted access to the JMX Invoker. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira