[jboss-dev-forums] [JMX Development] - security context issue with RMIAdaptor

qihong87 do-not-reply at jboss.com
Fri Dec 11 18:09:33 EST 2009 

Hi JBoss developers,

I'm trying to get user groups info in the mbean code w/ JBoss app server version 5.1.0 GA. After some try and error, this info is available through 'SecurityAssociation.getSubject()' and/or 'SecurityContextAssociation.getSecurityContext()'. If invoke mbean via jmx-console (the web UI), it works fine. But if invoke via RMIAdaptor with AuthenticationInterceptor enabled (following instruction at http://www.jboss.org/community/wiki/SecureTheInvokers), then  'SecurityAssociation.getSubject()' returns null, and 'SecurityContextAssociation.getSecurityContext()' returns the security context with securityDomain=other, the expected is securityDomain=jmx-console. Noticed thtat SecurityAssociation.getPricipal()/getCredential() still returns correct username and password.

After debugging, found that AuthenticationInterceptor.invoke() set the right security context before invoking, but InvokerAdaptorService.invoke() (down the interceptor chain) set the security context to the default security domain. Is this a bug or there's some reason for this?

Here's the related code in InvokerAdaptorService.invoke() line 228

            // Invoke the MBeanServer method via reflection
            Method method = invocation.getMethod();
            Object[] args = invocation.getArguments();
            Principal principal = invocation.getPrincipal();
            Object credential = invocation.getCredential();
            Object value = null;
            SecurityContext sc = SecurityActions.createSecurityContext(SecurityConstants.DEFAULT_APPLICATION_POLICY);
            SecurityActions.setSecurityContext(sc);
            // Associate the method 
            SecurityActions.pushSubjectContext(principal, credential, null);

Note that it always use default security domain, and pass null as subject to the SecurityActions.pushSubjectContext() call.

Thanks you so much!


View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4270310#4270310

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4270310

More information about the jboss-dev-forums mailing list