[jboss-jira] [JBoss JIRA] Commented: (JBAS-8159) Secure jmx-remoting.sar

Xavier MOGHRABI (JIRA) jira-events at lists.jboss.org
Thu Jul 29 12:38:49 EDT 2010 

    [ https://jira.jboss.org/browse/JBAS-8159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12541913#action_12541913 ] 

Xavier MOGHRABI commented on JBAS-8159:
---------------------------------------

The patch is complete for securing the JMX JSR160 connector for JBoss 5.x as the provided version is not secured.

In fact, the security relies on JRE , see : http://blogs.sun.com/lmalventosa/entry/jmx_authentication_authorization

To secure the connector, I've added those properties :
<attribute name="AuthNMethod">jmx.remote.x.login.config</attribute>
<attribute name="AuthNParameter">jmx-console</attribute>
<attribute name="AuthZMethod">jmx.remote.x.access.rolebased</attribute>
<attribute name="AuthZParameter">JBossAdmin</attribute>

AuthNMethod represents one of the authentication method available in the JRE : jmx.remote.x.login.config (JAAS), jmx.remote.x.password.file (File base)
AuthNParameter represents the JAAS domain or the file containing the password.

AuthZMethod represents one of the authorization method available in the JRE : jmx.remote.x.access.file (File base) or custom one based one role : jmx.remote.x.access.rolebased
AuthZParameter represents the file containing the access rights or the role that grants the access.


The only thing I really wrote is the role based authz. It can be approve since I didn't do a distinction between readonly and readwrite.





> Secure jmx-remoting.sar
> -----------------------
>
>                 Key: JBAS-8159
>                 URL: https://jira.jboss.org/browse/JBAS-8159
>             Project: JBoss Application Server
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: JMX
>    Affects Versions: JBossAS-5.1.0.GA
>         Environment: JBossAS 5.1.0 GA
>            Reporter: Xavier MOGHRABI
>            Assignee: Scott Marlow
>             Fix For: 7.0.0.M1
>
>         Attachments: jboss-service.xml, jbossas-jmx-remoting-src.jar
>
>
> JBossAS 5.1.0 GA provides jmx-remoting.sar compliant to JSR 160. Unfortunately the service is not secured and doesn't provide any way to secure it.
> However the JMX API provides several mechanisms allowing authentication and authorization. Authentication can easily done against a login-module.
> A forwarder can be implemented to extend the authorization against a role based mechanism.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list