mmmmmmmm,
Yeah, JMX is dumb security wise but is Weblogic or WebSphere better
with their console. If you now their protocol you can still access a App.
Server and change them without the right access rights (or am I wrong).
>From my point of view to add security is not simple but straight forward
when we can create our own JMX MBeanServer:
- add a Security Service like the <MLET> service which is available
from the startup of MBeanServer.
- before executing a method (get, set, invoke, add or remote Notification
listener the MBeanServer asks the Security Service if the user has the
right permission.
- the Security Service can then check its DB and see if the user is allowed
to do what he/she wants to do
- if the Security Service does not give permission it throws an Exception
Do you like it?
Mad Andy
----- Original Message -----
From: "marc fleury" <[EMAIL PROTECTED]>
To: "jBoss" <[EMAIL PROTECTED]>
Sent: Monday, December 04, 2000 9:09 AM
Subject: RE: [jBoss-User] Remote jboss monitoring
> mmmm,
> the problem with JMX is that there is no security built in the framework
> (yet). I am not talking about app security I am talking about "can you
call
> this operation on this MBean".
>
> Right now the MBeanServer doesn't know that the 2 MBeans that you just
> instanciated well one does "log on/off" the other one holds your DB passwd
> and the number of your visa card, to him it is just MBeans with
attributes.
> He is dumb security wise.
>
> In other words, we need to secure the JMX implementation otherwise someone
> can still query the basic MBeanServer for the information.
>
> marc
>
>
> |-----Original Message-----
> |From: [EMAIL PROTECTED]
> |[mailto:[EMAIL PROTECTED]]On Behalf Of Maddison, David
> |Sent: Monday, December 04, 2000 3:13 AM
> |To: jBoss
> |Subject: RE: [jBoss-User] Remote jboss monitoring
> |
> |
> |The attributes of the services though could be exposed, and
> |security left up
> |to the MonitorMBeans or the Adaptor?
> |
> |David Maddison
> |
> |-----Original Message-----
> |From: Juha-P Lindfors [mailto:[EMAIL PROTECTED]]
> |Sent: 04 December 2000 10:55
> |To: jBoss
> |Subject: Re: [jBoss-User] Remote jboss monitoring
> |
> |
> |
> |
> |On Mon, 4 Dec 2000, Tim Yates wrote:
> |> Hiya... is there a way of monitoring jBoss statistics whilst it is
> |running
> |> such as an EAR, or a stand alone java app?
> |
> |No, not yet though working on it.
> |
> |However, the first version won't allow remote monitoring, just localhost,
> |cause I have yet to find the place to drop anything security related in
> |the server architecture. This would include the remote JMX management
> |authentication, admin tool authentication, etc. It will most likely tie
to
> |JNP somehow, I don't know. Hopefully it would allow the web based JMX
> |management to be enabled in real world deployments as well.
> |
> |Anything particular you'd like to monitor?
> |
> |-- Juha
> |
> |
> |
> |
> |--
> |--------------------------------------------------------------
> |To subscribe: [EMAIL PROTECTED]
> |To unsubscribe: [EMAIL PROTECTED]
> |Problems?: [EMAIL PROTECTED]
> |
> |
> |
> |
> |--
> |--------------------------------------------------------------
> |To subscribe: [EMAIL PROTECTED]
> |To unsubscribe: [EMAIL PROTECTED]
> |Problems?: [EMAIL PROTECTED]
> |
> |
>
>
>
> --
> --------------------------------------------------------------
> To subscribe: [EMAIL PROTECTED]
> To unsubscribe: [EMAIL PROTECTED]
> Problems?: [EMAIL PROTECTED]
>
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
