I'm investigating securing a JMX server using Shiro. Actually, as usual, it's a bit more complicated than that; we're using jolokia (essentially a JMX protocol adaptor framework for rest/http) to provide a standardized rest/http interface to a JMX server. We're supporting both remote access mechanisms - jmx/rmi and rest/http. I want to use Shiro to secure both of these interfaces.
I've found some interesting resources along the way for authentication. For instance, this stackoverflow article [http://stackoverflow.com/questions/5736077/how-can-i-delegate-jaas-authorization-checks-to-shiro] provides two mechanisms for tying Shiro into the JAAS framework required/expected by JMX agents, implementing a JMXAuthenticator and implementing a JAAS LoginModule. In either case, the typical way the Shiro authentication context is attached to the JAAS authentication context is to store the Shiro context in the private credentials of the JAAS context. These private credentials are then available to MBean Connection Servers via the global JAAS security context. When a connection is established with a remote manager, the connection context contains the authenticated JAAS security context. By using an MBeanServerForwarder, I'm able to perform Shiro authorization checks based on the privately stored Shiro-authenticated identity. All that said, however, I'm wondering if anyone has considered a tighter integration between Shiro and the JMX native authorization model (Java Platform Security). It would be nice if there were a way to configure platform security as a mapping between Shiro permissions and the JPS permissions consumed natively by JMX. I'd like to be able to forego the forwarder and just let JPS permissions be checked automatically by JMX, but have those checks be somehow mapped to Shiro permissions under the covers. Thoughts? Thanks in advance, John -- View this message in context: http://shiro-user.582556.n2.nabble.com/Java-Platform-Security-and-Shiro-Authorization-tp7580159.html Sent from the Shiro User mailing list archive at Nabble.com.
