hi,
i am trying to secure the jmx invoker as described in the wiki [1] and the
"jboss: a developer's notebook" [2] book. i enabled the
"AuthenticationInterceptor" in the "jmx-invoker-service.xml" configuration file
by uncommented the following interceptor definition for the "invoke" operation
of the "jboss.jmx:type=adaptor,name=Invoker" mbean.
| <descriptors>
| <interceptors>
| <interceptor
code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
securityDomain="java:/jaas/jmx-console"/>
| </interceptors>
| </descriptors>
|
unfotunately access to the jmx invoker is still granted. in other words, it's
still possible to shutdown the server using the shutdown.sh script (without
specifying a username/password). furthermore it is possible to terminate the
server by accessing the jmx invoker directly via jndi:
| MBeanServerConnection server = (MBeanServerConnection)
jndiInitialContext.lookup("jmx/invoker/RMIAdaptor");
| String [] outval = null;
| server.invoke(new ObjectName("jboss.system:type=Server"), "shutdown", new
Object[0], outval);
|
specifying an invalid name for the "AuthenticationInterceptor" class results in
an error message which indicates that the interceptor is actually loaded.
i already tried to define a new security domain exclusively used to protect the
jmx invoker. this security domain is, however, not bound to the jndi tree. i
suspect that for some reason the AuthenticationIndicator doesn't bind correctly
to the security domain specified in the configuration file. using a security
domain already in use by the web and jmx console doen't help either even though
this security domain already protects the consoles.
i am running jboss as 4.0.3 sp1 on linux.
best regards
erich
[1] http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheInvokers
[2] http://www.oreilly.com/catalog/jbossadn/
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3920921#3920921
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3920921
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user
