[jboss-jira] [JBoss JIRA] Created: (JBAS-5092) JMX Invoker security should use a role to control security

[Stephen Burdeau (JIRA)]

JMX Invoker security should use a role to control security
----------------------------------------------------------

                 Key: JBAS-5092
                 URL: http://jira.jboss.com/jira/browse/JBAS-5092
             Project: JBoss Application Server
          Issue Type: Feature Request
      Security Level: Public (Everyone can see)
          Components: JMX
    Affects Versions: JBossAS-4.2.0.GA
            Reporter: Stephen Burdeau
         Assigned To: Dimitris Andreadis


The JMX Invoker is secured using the security domain java:/jaas/jmx-console.  However, there appears to be no way to specify a particular role (e.g., JBossAdmin).

This means that if a "userA" is added to the jmx-console-users.properties file, but "userA" is not added to any role, "userA" still has the privilege to perform JMX invoker requests, such as shutdown.

Obviously one solution in this case is to not add "userA" to the jmx-console-users.properties file.

However, the problem is more acute when a custom login module is developed.  For example, a system administrator could develop a custom login module which validates a user against the operating system userid and password.  The custom login module then uses another mechanism (e.g., flat file or database) to define the roles allowed for each user.  However, since no role is required, any valid user on the system (e.g., "guest") would be granted access to the JMX Invoker.


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira