[jboss-cvs] JBossAS SVN: r103643 - in trunk: server/src/etc/deploy and 2 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Apr 7 12:57:41 EDT 2010
Author: smarlow at redhat.com
Date: 2010-04-07 12:57:40 -0400 (Wed, 07 Apr 2010)
New Revision: 103643
Added:
trunk/system/src/main/java/org/jboss/system/server/jmx/JMXConnectorAuthenticator.java
Modified:
trunk/console/src/main/java/org/jboss/console/twiddle/Twiddle.java
trunk/server/src/etc/deploy/jmx-jboss-beans.xml
trunk/system/pom.xml
trunk/system/src/main/java/org/jboss/system/server/jmx/JMXConnector.java
Log:
JBAS-7871 Create a JMXAuthenticator implementation. secure our JSR-160 jmxconnector
Modified: trunk/console/src/main/java/org/jboss/console/twiddle/Twiddle.java
===================================================================
--- trunk/console/src/main/java/org/jboss/console/twiddle/Twiddle.java 2010-04-07 16:49:00 UTC (rev 103642)
+++ trunk/console/src/main/java/org/jboss/console/twiddle/Twiddle.java 2010-04-07 16:57:40 UTC (rev 103643)
@@ -47,8 +47,6 @@
import org.jboss.console.twiddle.command.CommandException;
import org.jboss.console.twiddle.command.NoSuchCommandException;
import org.jboss.logging.Logger;
-import org.jboss.security.SecurityAssociation;
-import org.jboss.security.SimplePrincipal;
import org.jboss.util.Strings;
/**
@@ -108,6 +106,22 @@
DEFAULT_RMIOBJECTNAME;
}
+ public String getUsername() {
+ return username;
+ }
+
+ public void setUsername(final String username) {
+ this.username = username;
+ }
+
+ public String getPassword() {
+ return password;
+ }
+
+ public void setPassword(final String password) {
+ this.password = password;
+ }
+
public void setHostname(String hostname)
{
this.hostname = hostname;
@@ -265,14 +279,20 @@
throws NamingException, IOException
{
HashMap env = new HashMap();
+ if (username != null && password != null)
+ {
+ if (this.verbose )
+ {
+ out.println("will connect with username=" + username);
+ }
+ String[] creds = new String[2];
+ creds[0] = username;
+ creds[1] = password;
+ env.put(JMXConnector.CREDENTIALS, creds);
+ }
JMXServiceURL url = new JMXServiceURL(this.serverURL);
JMXConnector jmxc = JMXConnectorFactory.connect(url, env);
- //Subject delegationSubject =
- // new Subject(true,
- // Collections.singleton(new JMXPrincipal("delegate")),
- // Collections.EMPTY_SET,
- // Collections.EMPTY_SET);
- return jmxc.getMBeanServerConnection(SecurityAssociation.getSubject());
+ return jmxc.getMBeanServerConnection();
}
private void connect()
@@ -560,12 +580,10 @@
log.info("adapter name is ignored " + arg);
break;
case 'u':
- String username = getopt.getOptarg();
- SecurityAssociation.setPrincipal(new SimplePrincipal(username));
+ twiddle.setUsername(getopt.getOptarg());
break;
case 'p':
- String password = getopt.getOptarg();
- SecurityAssociation.setCredential(password);
+ twiddle.setPassword(getopt.getOptarg());
break;
// be noisy
Modified: trunk/server/src/etc/deploy/jmx-jboss-beans.xml
===================================================================
--- trunk/server/src/etc/deploy/jmx-jboss-beans.xml 2010-04-07 16:49:00 UTC (rev 103642)
+++ trunk/server/src/etc/deploy/jmx-jboss-beans.xml 2010-04-07 16:57:40 UTC (rev 103643)
@@ -17,6 +17,11 @@
<!-- configuration properties -->
+ <!-- To enable authentication security checks, uncomment the following security domain name -->
+ <!--UNCOMMENT THIS
+ <property name="securityDomain">jmx-console</property>
+ -->
+
<!-- specify the NIC that will run the JMX connector -->
<property name="hostname">
<value-factory bean="ServiceBindingManager" method="getStringBinding"
@@ -31,13 +36,8 @@
parameter="jboss.remoting:service=JMXConnectorServer,protocol=rmi"/>
</property>
- <!-- security domain name
- <property name="securityDomain">java:/jaas/jmx-console</property>
- -->
-
<!-- specify the mbean server that is used internally, this shouldn't be changed here. -->
<property name="mbeanServer" class="javax.management.MBeanServer"><inject bean="JMXKernel" property="mbeanServer" /></property>
<property name="context" class="javax.naming.InitialContext"><inject bean="InitialContext"/></property>
</bean>
</deployment>
-
Modified: trunk/system/pom.xml
===================================================================
--- trunk/system/pom.xml 2010-04-07 16:49:00 UTC (rev 103642)
+++ trunk/system/pom.xml 2010-04-07 16:57:40 UTC (rev 103643)
@@ -127,6 +127,10 @@
<groupId>org.jboss</groupId>
<artifactId>jboss-common-core</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.picketbox</groupId>
+ <artifactId>picketbox-bare</artifactId>
+ </dependency>
</dependencies>
</project>
Modified: trunk/system/src/main/java/org/jboss/system/server/jmx/JMXConnector.java
===================================================================
--- trunk/system/src/main/java/org/jboss/system/server/jmx/JMXConnector.java 2010-04-07 16:49:00 UTC (rev 103642)
+++ trunk/system/src/main/java/org/jboss/system/server/jmx/JMXConnector.java 2010-04-07 16:57:40 UTC (rev 103643)
@@ -34,11 +34,15 @@
import javax.naming.InitialContext;
import javax.naming.Reference;
import javax.naming.StringRefAddr;
+import java.io.IOException;
import java.lang.management.ManagementFactory;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import java.util.HashMap;
+import org.picketbox.factories.SecurityFactory;
+
+
/**
* setup JSR-160 JMXConnector
* @author Scott Marlow smarlow at redhat.com
@@ -55,11 +59,12 @@
private MBeanServer mbeanServer = ManagementFactory.getPlatformMBeanServer();
private InitialContext context;
+ private String securityDomain;
+
/* end of configurable settings */
private RMIConnectorServer adapter;
private RMIJRMPServerImpl rmiServer;
private Registry registry;
- private String securityDomain;
private static final Logger log = Logger.getLogger(JMXConnector.class);
@@ -82,7 +87,7 @@
public void setSecurityDomain(String securityDomain) {
this.securityDomain = securityDomain;
}
-
+
public MBeanServer getMbeanServer() {
return mbeanServer;
}
@@ -116,24 +121,30 @@
DefaultSocketFactory serverSocketFactory = new DefaultSocketFactory();
serverSocketFactory.setBindAddress(hostname);
registry = LocateRegistry.createRegistry(rmiRegistryPort, clientSocketFactory, serverSocketFactory);
- rmiServer = new RMIJRMPServerImpl( 0, null, null, new HashMap());
+ HashMap env = new HashMap();
+ if( securityDomain != null)
+ env.put(RMIConnectorServer.AUTHENTICATOR, new JMXConnectorAuthenticator( securityDomain) );
+ rmiServer = new RMIJRMPServerImpl( 0, null, null, env);
JMXServiceURL url = new JMXServiceURL("service:jmx:rmi://" + hostname);
- HashMap env = new HashMap();
adapter = new RMIConnectorServer(url, env, rmiServer, mbeanServer);
adapter.start();
url = adapter.getAddress();
registry.bind(RMI_BIND_NAME, rmiServer.toStub());
if(log.isDebugEnabled()) {
- log.debug("started JMXConnector (" + url.toString() + ")");
+ log.debug("started JMXConnector (" + url.toString() + ")" +
+ (securityDomain!=null ? " domain=" + securityDomain : "") );
}
- // TODO: JBAS-7871
+
+ // For legacy access, bind a JMXAdapter to the JNDI names
Reference reference = new Reference(MBeanServerConnection.class.getName(), JMXAdapter.class.getName(), null);
reference.add(new StringRefAddr("JMXServiceURL", url.toString()));
Util.rebind(context, JNDI_BIND_NAME, reference);
Util.rebind(context, LEGACY_BIND_NAME, reference);
//Object test = Util.lookup(context, JNDI_BIND_NAME, MBeanServerConnection.class);
//log.info("test = " + test);
+ //
+ SecurityFactory.prepare();
}
public void stop() throws Exception {
@@ -141,6 +152,7 @@
adapter.stop();
Util.unbind(context, JNDI_BIND_NAME);
Util.unbind(context, LEGACY_BIND_NAME);
+ SecurityFactory.release();
}
-}
+}
\ No newline at end of file
Added: trunk/system/src/main/java/org/jboss/system/server/jmx/JMXConnectorAuthenticator.java
===================================================================
--- trunk/system/src/main/java/org/jboss/system/server/jmx/JMXConnectorAuthenticator.java (rev 0)
+++ trunk/system/src/main/java/org/jboss/system/server/jmx/JMXConnectorAuthenticator.java 2010-04-07 16:57:40 UTC (rev 103643)
@@ -0,0 +1,96 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2010, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.system.server.jmx;
+
+import org.jboss.security.AuthenticationManager;
+import org.jboss.security.SecurityContext;
+import org.picketbox.factories.SecurityFactory;
+
+import javax.management.remote.JMXAuthenticator;
+import javax.management.remote.JMXPrincipal;
+import javax.security.auth.Subject;
+import java.security.Principal;
+
+/**
+ * Handles authentication checking for JSR-160 JMXConnector (using PicketBox)
+ * login-config.xml is expected to contain an application-policy for the specified
+ * securityDomainName.
+ *
+ * @author Scott Marlow smarlow at redhat.com
+ *
+ */
+
+class JMXConnectorAuthenticator implements JMXAuthenticator {
+
+ String securityDomainName;
+
+ JMXConnectorAuthenticator(String securityDomainName)
+ {
+ this.securityDomainName = securityDomainName;
+ }
+
+ /**
+ * @inheritDoc
+ *
+ */
+ public synchronized Subject authenticate(Object creds) {
+ AuthenticationManager am;
+ SecurityContext securityContext;
+
+ // wine and complain if we don't get what we expect.
+ if (creds == null) {
+ throw new SecurityException(
+ "JMXConnectorAuthenticator requires userid/password credentials to be passed in");
+ }
+ if (! (creds instanceof String[])) {
+ // only support passing in array of Strings
+ throw new SecurityException(
+ "JMXConnectorAuthenticator can only handle authentication parameter that is array of two strings, instead got " +
+ creds.getClass().getName());
+ }
+ String[] pair = (String[]) creds;
+ if( pair.length != 2 ) {
+ // only support passing userid + password
+ throw new SecurityException(
+ "JMXConnectorAuthenticator can only handle authentication parameter that is array of two strings, instead got " +
+ pair.length +" strings");
+ }
+
+ String user, pass;
+ user = pair[0];
+ pass = pair[1];
+ Principal principal = new JMXPrincipal(user);
+ Subject subject = new Subject();
+
+ securityContext = SecurityFactory.establishSecurityContext(securityDomainName);
+ am = securityContext.getAuthenticationManager();
+
+ boolean result = am.isValid(principal, pass , subject);
+ if( result ) {
+ subject.setReadOnly();
+ }
+ else {
+ throw new SecurityException("user authentication check failed");
+ }
+ return subject;
+ }
+}
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list