SecureTheInvokers

Enabling authentication to the RMIAdaptor service

 

FIXME: this article is about securing Invoker Access to the JMX. Not the general invoker security.

 

Since 3.2.4, the JMX Detached Invoker Service which provides the RMIAdaptor interface into the MBeanServer has supported JAAS authentication of callers.

 

Note, there is a bug in the 4.0.x implementation that is fixed in 4.0.5 GA.

 

 

To enable this:

 

- in JBossAS 5.0x, see Technical Paper in SecureTheJmxConsole

 

- in JBossAS 4.0.x, edit jmx-invoker-service.xml

 

- in JBossAS 3.2.x, edit jmx-invoker-adaptor-server.sar/META-INF/jboss-service.xml

 

and uncomment the descriptors section of the invoke operation:

 

         <operation>
            <description>The detached invoker entry point</description>
            <name>invoke</name>
            <parameter>
               <description>The method invocation context</description>
               <name>invocation</name>
               <type>org.jboss.invocation.Invocation</type>
            </parameter>
            <return-type>java.lang.Object</return-type>
            <!-- Uncomment to require authenticated users -->
            <descriptors>
               <interceptors>
                  <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
                     securityDomain="java:/jaas/jmx-console"></interceptor>
               </interceptors>
            </descriptors>
         </operation>

 

The value of the securityDomain attribute maps to the security domain name found in the conf/login-config.xml definitions the same way as the jboss.xml, jboss-web.xml security-domain elements do. In this case the jmx-console security domain configuration is being used.

 

Note, in some version of jboss when running under java5+, you may see an error like the following:

. This is due to a change in how the jmx descriptor names are stored with case preserved. To work around this isssue simply use all lower case attribute names:

...
            <descriptors>
               <interceptors>
                  <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
                     securitydomain="java:/jaas/jmx-console"></interceptor>
               </interceptors>
            </descriptors>

This still works under jdk14.

 

Enabling authorization to the RMIAdaptor service

 

Along the lines of the AuthenticationInterceptor, an AuthorizationInterceptor is available in JBoss. The interceptor should be placed after the AuthenticationInterceptor and has the following configuration.

  • authorizingClass : Fully Qualified Name of a class that does the authorization and which contains a method with the following signature

"public void authorize( Principal caller, Subject subject, String objectname,String opname)"  that can throw a java.lang.SecurityException

 

An example of an authorizing class is available in JBoss. It is the org.jboss.jmx.connector.invoker.RolesAuthorization, which looks for an hardcoded "JBossAdmin" role in the authenticated subject.

 

<descriptors>
    <interceptors>
        <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
                     securityDomain="java:/jaas/jmx-console"></interceptor>
        <interceptor code="org.jboss.jmx.connector.invoker.AuthorizationInterceptor"
                     authorizingClass="org.jboss.jmx.connector.invoker.RolesAuthorization"></interceptor>
     </interceptors>
</descriptors>

 

 

 

Starting 4.0.4.GA, we have an authorization delegate that looks for passwords from a properties file called as

"jmxinvoker-roles.properties" either in a jar file or can be in the conf directory.

As before,

<descriptors>
    <interceptors>
        <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
                     securityDomain="java:/jaas/jmx-console"></interceptor>
        <interceptor code="org.jboss.jmx.connector.invoker.AuthorizationInterceptor"
                     authorizingClass="org.jboss.jmx.connector.invoker.ExternalizableRolesAuthorization"></interceptor>
     </interceptors>
</descriptors>

 

The format of the jmxinvoker-roles.properties file is as follows:

#Specify the roles that are authorized to access the jmx invoker delimited by comma
roles=testRole,testRole1

 

 

If you don't succeed in securing the RMIInvoker (that is, calls are made without forcing a login), try placing the security-service.xml in a SAR.

Create a folder named security.sar that has a subfolder named META-INF. Then move your security-service.xml to this folder and rename it to jboss-service.xml. Place the security.sar in you deploy-folder.