So, I'm trying to secure the connection from MC4J to my JBoss 3.2.7 app server. I discovered right after installing MC4J I was able to get to my app server and do whatever I wanted with no login whatsoever. I imagine this is a configuration issue on the jboss side, and wanted to ask you folks how you recommend securing the MC4J to JBoss connection.
After hours of poring over google results and the JBoss 3.2.x docs, I think I've got an idea of what needs to change, but what I need is help with specifics. If anyone has done something like this, could you either provide some examples or post some links to information about solving this particular problem?
So far, what I've discovered is:
a) there is a jboss-service.xml in [JBOSS_HOME]\server\gemserver \deploy\jmx-invoker-adaptor-server.sar\META-INF that controls the behavior of the remote invoker adaptor.
b) Uncommenting the AuthenticationInterceptor descriptor from the invoke operation in the xml seems to cause the Invocation to be authenticated. (I've removed the AuthorizationInterceptor since all I need is a succesful login, no roles are used at this time)
----------
<code>
<operation>
<description>The detached invoker entry point</description>
<name>invoke</name>
<parameter>
<description>The method invocation context</description>
<name>invocation</name>
<type>org.jboss.invocation.Invocation</type>
</parameter>
<return-type>java.lang.Object</return-type>
<!-- Uncomment to require authenticated users . Also an AuthorizationInterceptor
is provided which whill help in authorizing users to make JMX calls at the
MBean operations level. You will need to write a class that overrides a method
with the signature
"public Boolean authorize( Principal caller, Collection roles,String objectname,String opname)"
is needed to be defined in the attribute 'authorizingClass' -->
<descriptors>
<interceptors>
<interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/jmx-console"/>
</interceptors>
</descriptors>
</operation>
</code>
----------
What I get from MC4J when it starts hitting the MBeans is an error:
java.lang.RuntimeException: java.lang.SecurityException: Failed to authenticate principal=null, securityDomain=jmx-console
I have provided the principal and credentials (username/password) to the the connecting app, but for some reason the principal is not making it into the Invocation.
Questions:
1) Where are the usernames and passwords supposed to be defined? For the web console they are defined in properties files at [JBOSS_HOME]\server
\gemserver\deploy\jmx-console.war\WEB-INF\classes named jmx-console-rolesand jmx-console-users. Is there an equivalent way to define them for the Detached Invoker ?
2) Is this a case where MC4J is not providing the creds? I wouldn't think that would be the case, but figured I'd ask in case this is all a known issue.
3) Is there something else I'm supposed to do to secure the RMI connection to the MBeans in the app server?
Thanks!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
So, I'm trying to secure the connection from MC4J to my JBoss 3.2.7 app server. I discovered right after installing MC4J I was able to get to my app server and do whatever I wanted with no login whatsoever. I imagine this is a configuration issue on the jboss side, and wanted to ask you folks how you recommend securing the MC4J to JBoss connection.
After hours of poring over google results and the JBoss 3.2.x docs, I think I've got an idea of what needs to change, but what I need is help with specifics. If anyone has done something like this, could you either provide some examples or post some links to information about solving this particular problem?
So far, what I've discovered is:
a) there is a jboss-service.xml in [JBOSS_HOME]\server\gemserver \deploy\jmx-invoker-adaptor-server.sar\META-INF that controls the behavior of the remote invoker adaptor.
b) Uncommenting the AuthenticationInterceptor descriptor from the invoke operation in the xml seems to cause the Invocation to be authenticated. (I've removed the AuthorizationInterceptor since all I need is a succesful login, no roles are used at this time)
----------
<code>
<operation>
<description>The detached invoker entry point</description>
<name>invoke</name>
<parameter>
<description>The method invocation context</description>
<name>invocation</name>
<type>org.jboss.invocation.Invocation</type>
</parameter>
<return-type>java.lang.Object</return-type>
<!-- Uncomment to require authenticated users . Also an AuthorizationInterceptor
is provided which whill help in authorizing users to make JMX calls at the
MBean operations level. You will need to write a class that overrides a method
with the signature
"public Boolean authorize( Principal caller, Collection roles,String objectname,String opname)"
is needed to be defined in the attribute 'authorizingClass' -->
<descriptors>
<interceptors>
<interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/jmx-console"/>
</interceptors>
</descriptors>
</operation>
</code>
----------
What I get from MC4J when it starts hitting the MBeans is an error:
java.lang.RuntimeException: java.lang.SecurityException: Failed to authenticate principal=null, securityDomain=jmx-console
I have provided the principal and credentials (username/password) to the the connecting app, but for some reason the principal is not making it into the Invocation.
Questions:
1) Where are the usernames and passwords supposed to be defined? For the web console they are defined in properties files at [JBOSS_HOME]\server
\gemserver\deploy\jmx-console.war\WEB-INF\classes named jmx-console-rolesand jmx-console-users. Is there an equivalent way to define them for the Detached Invoker ?
2) Is this a case where MC4J is not providing the creds? I wouldn't think that would be the case, but figured I'd ask in case this is all a known issue.
3) Is there something else I'm supposed to do to secure the RMI connection to the MBeans in the app server?
Thanks!