Security 在JBoss 5.1.0.GA中保护JMXConnectorServerService(jmx remoting.sar)
我一直在试图理解如何在默认情况下保护JBoss 5.1.0.GA提供的JMXConnectorServerService 目前,如果我将以下URL粘贴到JConsole中,我可以直接访问JMX,而无需任何身份验证:service:JMX:rmi:///jndi/rmi://:1290/jmxconnector 然后我这样做是为了保护我的JMXInvoker,希望这能保护所有JMX访问: 但是,显然,这不适用于JMXConnectorServerService。我仍然可以通过jconsole使用上面的服务URL访问JMX 然后我发现这个功能请求还没有得到满足: 现在,我不担心疯狂的安全措施。此URL不会向外部网络公开。所以,我只想看看用“jmx控制台”安全域保护jmx-remoting.sar的最简单方法是什么 我可以切换到默认的MBean服务器,但显然,在5.1.0.GA中,这是一种痛苦: 我非常感谢您在这方面的任何意见Security 在JBoss 5.1.0.GA中保护JMXConnectorServerService(jmx remoting.sar),security,jboss,jmx,jboss5.x,Security,Jboss,Jmx,Jboss5.x,我一直在试图理解如何在默认情况下保护JBoss 5.1.0.GA提供的JMXConnectorServerService 目前,如果我将以下URL粘贴到JConsole中,我可以直接访问JMX,而无需任何身份验证:service:JMX:rmi:///jndi/rmi://:1290/jmxconnector 然后我这样做是为了保护我的JMXInvoker,希望这能保护所有JMX访问: 但是,显然,这不适用于JMXConnectorServerService。我仍然可以通过jconsole使用上
谢谢 我认为这项服务还没有得到保障,但有一个问题 对于一个稍微简单的版本,我将在这里讨论一个问题,因为我没有在AS5上测试它,但是我将它后移植到AS4,它工作正常 我不确定你到底有哪个版本,但让我们假设它是。EAP版本有一个稍微复杂的版本,但前提是相同的。您将需要扩展和更新 在此实现中,创建服务器的代码如下所示:
// create new connector server and start it
connectorServer = JMXConnectorServerFactory.newJMXConnectorServer(url, null, mbeanServer);
/**
* Validates the name of the passed JAAS domain.
* If the name is not valid, a RuntimeException will the thrown.
* @param domain The name of the JAAS domain to validate.
*/
private void validateJaasDomain(String domain) {
try {
new LoginContext(domain);
} catch (Exception e) {
throw new RuntimeException("The JAAS Domain [" + domain + "] could not be loaded", e);
}
}
在扩展中,添加以下内容:
/** The name of the JAAS domain to use for authentication */
protected String jaasDomain = null;
...
/**
* Returns the name of the JAAS domain to use for authentication
* @return the name of a JAAS Domain
*/
public String getJaasDomain() {
return jaasDomain;
}
/**
* Sets the name of the JAAS domain to use for authentication
* @param jaasDomain the JAAS Domain to use for authentication
*/
public void setJaasDomain(String jaasDomain) {
this.jaasDomain = jaasDomain;
}
现在,您需要重新实现start方法,该方法添加了一个包含要进行身份验证的JAAS域名的环境
public void start() throws Exception
{
// the address to expose in the urls
String host = System.getProperty("java.rmi.server.hostname");
// check to see if registry already created
rmiRegistry = LocateRegistry.getRegistry(host, registryPort);
if (rmiRegistry != null)
{
try
{
rmiRegistry.list();
}
catch(RemoteException e)
{
log.debug("No registry running at host '" + host +
"', port '" + registryPort + "'. Will create one.");
rmiRegistry = LocateRegistry.createRegistry(registryPort, null, new DefaultSocketFactory(bindAddress));
}
}
else
{
rmiRegistry = LocateRegistry.createRegistry(registryPort, null, new DefaultSocketFactory(bindAddress));
}
String serviceURL = "service:jmx:rmi://" + host + "/jndi/rmi://" + host + ":" + registryPort + jndiPath;
JMXServiceURL url = new JMXServiceURL(serviceURL);
// create new connector server and start it
// ==== NEW AUTH CODE HERE ====
final Map<String, Object> environment = new HashMap<String, Object>();
environment.put("jmx.remote.x.login.config", jaasDomain);
connectorServer = JMXConnectorServerFactory.newJMXConnectorServer(url, environment, mbeanServer);
// ==== NEW AUTH CODE ENDS ====
connectorServer.start();
log.info("JMX Connector server: " + serviceURL);
}
将jaasDomain属性添加到新的MBean接口:
/**
* Returns the name of the JAAS domain to use for authentication
* @return the name of a JAAS Domain
*/
public String getJaasDomain();
/**
* Sets the name of the JAAS domain to use for authentication
* @param jaasDomain the JAAS Domain to use for authentication
*/
public void setJaasDomain(String jaasDomain);
假设您的新impl是com.vijay.JMXConnectorServerService,新MBean是com.vijay.JMXConnectorServerServiceMBean;您的部署描述符如下所示:(使用jmx控制台jaas域,因为您可能已经获得了安全性…)
jmx控制台
我只有这些了。我希望它对您有用。非常感谢您提供如此全面的答案。我真希望我能为这一次投多次票,但不幸的是,我只投了一票(这非常有帮助和有用。不幸的是,现在我只能依靠防火墙规则,它只允许我的监控服务器访问端口。非常感谢!我尝试使用验证方法和Mobicents使用的JB 5.1.0GA的修改版本,但它没有说安全域不可用。这可能是因为事实上,当服务启动时,域还不可用,因为如果我禁用验证,一切正常,但我还没有时间调查。不管是哪种方式,谢谢。@Morfic;您可能可以通过添加对其中一个安全MBean的依赖项来解决此问题,例如jboss.security:service=JaasSecurityManager.Per如果MBean完成启动,该域将可用。另一篇有趣的相关文章:
<!-- ======================================================== -->
<!-- Example Vijay JMX Remoting Service Configuration file -->
<!-- ======================================================== -->
<server>
<mbean code="com.vijay.JMXConnectorServerService"
name="jboss.remoting:service=JMXConnectorServer,protocol=rmi"
display-name="JMX Connector Server (RMI)">
<attribute name="BindAddress">
<!-- Get the port from the ServiceBindingManager -->
<value-factory bean="ServiceBindingManager" method="getStringBinding"
parameter="jboss.remoting:service=JMXConnectorServer,protocol=rmi"/>
</attribute>
<!-- if comment this out, will use 1099 as default and will conflict -->
<!-- with default JNP (JNDI) port. -->
<attribute name="RegistryPort">
<!-- Get the port from the ServiceBindingManager -->
<value-factory bean="ServiceBindingManager" method="getIntBinding"
parameter="jboss.remoting:service=JMXConnectorServer,protocol=rmi"/>
</attribute>
<!-- the path to which will be bound in rmi registry -->
<!-- the commented value below is the default. -->
<!-- <attribute name="JndiPath">/jmxconnector</attribute> -->
<attribute name="JaasDomain">jmx-console</attribute>
</mbean>
</server>