[jboss-cvs] JBossAS SVN: r62047 - in projects/security/security-docs/trunk/whitepapers/securejmx/en: modules and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue Apr 3 13:04:22 EDT 2007
Author: anil.saldhana at jboss.com
Date: 2007-04-03 13:04:22 -0400 (Tue, 03 Apr 2007)
New Revision: 62047
Added:
projects/security/security-docs/trunk/whitepapers/securejmx/en/modules/securejmxinvoker_auth.xml
projects/security/security-docs/trunk/whitepapers/securejmx/en/modules/securejmxinvoker_authz.xml
Modified:
projects/security/security-docs/trunk/whitepapers/securejmx/en/master.xml
Log:
SECURITY-31: white paper on jmx security
Modified: projects/security/security-docs/trunk/whitepapers/securejmx/en/master.xml
===================================================================
--- projects/security/security-docs/trunk/whitepapers/securejmx/en/master.xml 2007-04-03 16:51:05 UTC (rev 62046)
+++ projects/security/security-docs/trunk/whitepapers/securejmx/en/master.xml 2007-04-03 17:04:22 UTC (rev 62047)
@@ -3,6 +3,8 @@
"../../../support/docbook-dtd/docbookx.dtd" [
<!ENTITY authonly SYSTEM "modules/authonly.xml">
<!ENTITY accesscontrol SYSTEM "modules/accesscontrol.xml">
+<!ENTITY securejmxinvoker_auth SYSTEM "modules/securejmxinvoker_auth.xml">
+<!ENTITY securejmxinvoker_authz SYSTEM "modules/securejmxinvoker_authz.xml">
]>
<book lang="en">
<bookinfo>
@@ -47,4 +49,7 @@
&authonly;
&accesscontrol;
+
+ &securejmxinvoker_auth;
+ &securejmxinvoker_authz;
</book>
Added: projects/security/security-docs/trunk/whitepapers/securejmx/en/modules/securejmxinvoker_auth.xml
===================================================================
--- projects/security/security-docs/trunk/whitepapers/securejmx/en/modules/securejmxinvoker_auth.xml (rev 0)
+++ projects/security/security-docs/trunk/whitepapers/securejmx/en/modules/securejmxinvoker_auth.xml 2007-04-03 17:04:22 UTC (rev 62047)
@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<chapter>
+ <title>Secure the JMX Invokers (Authentication Only)</title>
+
+ <section>
+ <title>Introduction</title>
+
+ <para>The JMX invokers are the entry points to the MBean Server. If there
+ is a need to restrict external access to the MBean Server, then there is a
+ need to secure the invokers.</para>
+ </section>
+
+ <section>
+ <title>Enable Authentication for the JMX Invoker</title>
+
+ <para>The JMX invoker can be made to authenticate against the JBoss
+ Security JAAS framework like the web or ejb layers.</para>
+
+ <section>
+ <title>Modifications Required</title>
+
+ <para>You will need to edit the jmx-invoker-service.xml file under the
+ deploy directory of your server configuration (eg: default
+ configuration). Please uncomment the following section.</para>
+
+ <programlisting><operation>
+ <description>The detached invoker entry point</description>
+ <name>invoke</name>
+ <parameter>
+ <description>The method invocation context</description>
+ <name>invocation</name>
+ <type>org.jboss.invocation.Invocation</type>
+ </parameter>
+ <return-type>java.lang.Object</return-type>
+ <!-- Uncomment to require authenticated users -->
+ <descriptors>
+ <interceptors>
+ <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
+ securityDomain="java:/jaas/jmx-console"/>
+ </interceptors>
+ </descriptors>
+</operation></programlisting>
+
+ <para>The value of the security domain needs to be defined in the
+ conf/login-config.xml. You can resuse the security domain used to
+ restrict access to the jmx-console.</para>
+ </section>
+
+ <section>
+ <title>Troubleshooting</title>
+
+ <para>When you use JDK5+, you may see the following error:</para>
+
+ <programlisting>org.jboss.deployment.DeploymentException?: No PropertyDescriptor? for attribute:securityDomain; -
+nested throwable: (java.beans.IntrospectionException?: No PropertyDescriptor? for attribute:securityDomain)</programlisting>
+
+ <para>This is due to a change in how the jmx descriptor names are stored
+ with case preserved. To work around this isssue simply use all lower
+ case attribute names.</para>
+
+ <programlisting><interceptors>
+ <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
+ <command>securitydomain</command>="java:/jaas/jmx-console"/>
+</interceptors></programlisting>
+ </section>
+ </section>
+</chapter>
Added: projects/security/security-docs/trunk/whitepapers/securejmx/en/modules/securejmxinvoker_authz.xml
===================================================================
--- projects/security/security-docs/trunk/whitepapers/securejmx/en/modules/securejmxinvoker_authz.xml (rev 0)
+++ projects/security/security-docs/trunk/whitepapers/securejmx/en/modules/securejmxinvoker_authz.xml 2007-04-03 17:04:22 UTC (rev 62047)
@@ -0,0 +1,99 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<chapter>
+ <title>Secure the JMX Invokers (Authorization/Access Control)</title>
+
+ <section>
+ <title>Introduction</title>
+
+ <para>In the last chapter, you enabled authentication on the JMX invoker.
+ This would basically restrict access to just the actors that have
+ identified themselves. There may need for fine-grained access control on
+ the JMX invoker. You may want to restrict access to users who have certain
+ roles.</para>
+ </section>
+
+ <section>
+ <title>Enable Access Control or Authorization for the JMX Invoker</title>
+
+ <para>The JMX invoker can be made to authorize all requests.</para>
+
+ <section>
+ <title>Modifications Required (Use Case 1)</title>
+
+ <para>You will need to edit the jmx-invoker-service.xml file under the
+ deploy directory of your server configuration (eg: default
+ configuration). Please add an additional interceptor to look as
+ follows:</para>
+
+ <programlisting><operation>
+ <description>The detached invoker entry point</description>
+ <name>invoke</name>
+ <parameter>
+ <description>The method invocation context</description>
+ <name>invocation</name>
+ <type>org.jboss.invocation.Invocation</type>
+ </parameter>
+ <return-type>java.lang.Object</return-type>
+ <!-- Uncomment to require authenticated users -->
+ <descriptors>
+ <interceptors>
+ <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
+ securityDomain="java:/jaas/jmx-console"/>
+ <interceptor code="org.jboss.jmx.connector.invoker.AuthorizationInterceptor"
+ authorizingClass="org.jboss.jmx.connector.invoker.RolesAuthorization"/>
+ </interceptors>
+ </descriptors>
+</operation></programlisting>
+
+ <para>The AuthorizationInterceptor will use the JAAS authenticated
+ subject that has been created by the AuthenticationInterceptor and will
+ allow access to users who have a role called as "JBossAdmin".</para>
+ </section>
+
+ <section>
+ <title>Modifications Required (Use Case 2)</title>
+
+ <para>You will need to edit the jmx-invoker-service.xml file under the
+ deploy directory of your server configuration (eg: default
+ configuration). Please add an additional interceptor to look as
+ follows:</para>
+
+ <programlisting><operation>
+ <description>The detached invoker entry point</description>
+ <name>invoke</name>
+ <parameter>
+ <description>The method invocation context</description>
+ <name>invocation</name>
+ <type>org.jboss.invocation.Invocation</type>
+ </parameter>
+ <return-type>java.lang.Object</return-type>
+ <!-- Uncomment to require authenticated users -->
+ <descriptors>
+ <interceptors>
+ <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
+ securityDomain="java:/jaas/jmx-console"/>
+ <interceptor code="org.jboss.jmx.connector.invoker.AuthorizationInterceptor"
+ authorizingClass="org.jboss.jmx.connector.invoker.ExternalizableRolesAuthorization"/>
+ </interceptors>
+ </descriptors>
+</operation></programlisting>
+
+ <para>This use case handles cases where you can configure the various
+ roles that an user can have to gain access. The previous use case just
+ handled the case when the users had a role called as
+ "JBossAdmin".</para>
+
+ <para>In this case, you will need to provide a properties file called as
+ "jmx-invoker-roles.properties" in a jar file or place it in the conf
+ directory. The format of this file should be:</para>
+
+ <programlisting>#Specify the roles that are authorized to access the jmx invoker delimited by comma
+roles=testRole,testRole1</programlisting>
+ </section>
+ </section>
+
+ <section>
+ <title>Reference</title>
+ <para>http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheInvokers</para>
+ </section>
+</chapter>
More information about the jboss-cvs-commits
mailing list