我使用jboss-5.0.1.GA,我想限制shutdown.sh
的访问在jmx-console-users.properties中,我有
admin=<password>
在jmx-invoker-service.xml中,我取消了对拦截器的注释
<descriptors>
<interceptors>
<!-- Uncomment to require authenticated users-->
<interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
securityDomain="java:/jaas/jmx-console"/>
<!-- Interceptor that deals with non-serializable results -->
<interceptor code="org.jboss.jmx.connector.invoker.SerializableInterceptor"
policyClass="StripModelMBeanInfoPolicy"/>
</interceptors>
</descriptors>
我尝试了命令
../jboss-5.0.1.GA/bin/shutdown.sh -u admin -p <password>
我遇到以下异常:
Exception in thread "main" java.lang.SecurityException: Failed to authenticate principal==admin, securityDomain=jmx-console
at org.jboss.jmx.connector.invoker.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:88)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:90)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
at org.jboss.invocation.jrmp.server.JRMPProxyFactory.invoke(JRMPProxyFactory.java:180)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668) ......
我错过了什么吗?
答案 0 :(得分:1)
我知道这篇帖子是从一年半前开始的,但我在研究同样的问题时首先将其作为首批搜索之一。对于遇到此问题的任何人来说,这是由于JBoss 5附带了一个不正确的init脚本。引用包含文件EAP_43_jboss_init_redhat.sh的bugzilla链接https://bugzilla.redhat.com/show_bug.cgi?id=777710,该文件会抛出进程SIGTERM信号而不是调用JBoss关闭命令。如果bugzilla链接不可用,请参考init脚本。
#!/bin/sh
#
# $Id: jboss_init_redhat.sh 71029 2008-03-19 21:58:46Z dbhole $
#
# JBoss Control Script
#
# To use this script run it as root - it will switch to the specified user
#
# Here is a little (and extremely primitive) startup/shutdown script
# for RedHat systems. It assumes that JBoss lives in /usr/local/jboss,
# it's run by user 'jboss' and JDK binaries are in /usr/local/jdk/bin.
# All this can be changed in the script itself.
#
# Either modify this script for your requirements or just ensure that
# the following variables are set correctly before calling the script.
#define where jboss is - this is the directory containing directories log, bin, conf etc
JBOSS_HOME=${JBOSS_HOME:-"/usr/local/jboss"}
#define the user under which jboss will run, or use 'RUNASIS' to run as the current user
JBOSS_USER=${JBOSS_USER:-"jboss"}
#make sure java is in your path
JAVAPTH=${JAVAPTH:-"/usr/local/jdk/bin"}
#configuration to use, usually one of 'minimal', 'default', 'all', 'production'
JBOSS_CONF=${JBOSS_CONF:-"production"}
#if JBOSS_HOST specified, use -b to bind jboss services to that address
JBOSS_BIND_ADDR=${JBOSS_HOST:+"-b $JBOSS_HOST"}
#define the script to use to start jboss
JBOSSSH=${JBOSSSH:-"$JBOSS_HOME/bin/run.sh -c $JBOSS_CONF $JBOSS_BIND_ADDR"}
if [ "$JBOSS_USER" = "RUNASIS" ]; then
SUBIT=""
else
SUBIT="su - $JBOSS_USER -c "
fi
if [ -n "$JBOSS_CONSOLE" -a ! -d "$JBOSS_CONSOLE" ]; then
# ensure the file exists
touch $JBOSS_CONSOLE
if [ ! -z "$SUBIT" ]; then
chown $JBOSS_USER $JBOSS_CONSOLE
fi
fi
if [ -n "$JBOSS_CONSOLE" -a ! -f "$JBOSS_CONSOLE" ]; then
echo "WARNING: location for saving console log invalid: $JBOSS_CONSOLE"
echo "WARNING: ignoring it and using /dev/null"
JBOSS_CONSOLE="/dev/null"
fi
#define what will be done with the console log
JBOSS_CONSOLE=${JBOSS_CONSOLE:-"/dev/null"}
JBOSS_CMD_START="cd $JBOSS_HOME/bin; $JBOSSSH"
if [ -z "`echo $PATH | grep $JAVAPTH`" ]; then
export PATH=$PATH:$JAVAPTH
fi
if [ ! -d "$JBOSS_HOME" ]; then
echo JBOSS_HOME does not exist as a valid directory : $JBOSS_HOME
exit 1
fi
echo JBOSS_CMD_START = $JBOSS_CMD_START
function procrunning() {
procid=0
JBOSSSCRIPT=$(echo $JBOSSSH | awk '{print $1}' | sed 's/\//\\\//g')
for procid in `/sbin/pidof -x "$JBOSSSCRIPT"`; do
ps -fp $procid | grep "${JBOSSSH% *}" > /dev/null && pid=$procid
done
}
stop() {
pid=0
procrunning
if [ $pid = '0' ]; then
echo -n -e "\nNo JBossas is currently running\n"
exit 1
fi
RETVAL=1
# If process is still running
# First, try to kill it nicely
for id in `ps --ppid $pid | awk '{print $1}' | grep -v "^PID$"`; do
if [ -z "$SUBIT" ]; then
kill -15 $id
else
$SUBIT "kill -15 $id"
fi
done
sleep=0
while [ $sleep -lt 120 -a $RETVAL -eq 1 ]; do
echo -n -e "\nwaiting for processes to stop";
sleep 10
sleep=`expr $sleep + 10`
pid=0
procrunning
if [ $pid == '0' ]; then
RETVAL=0
fi
done
# Still not dead... kill it
count=0
pid=0
procrunning
if [ $RETVAL != 0 ] ; then
echo -e "\nTimeout: Shutdown command was sent, but process is still running with PID $pid"
exit 1
fi
echo
exit 0
}
case "$1" in
start)
cd $JBOSS_HOME/bin
if [ -z "$SUBIT" ]; then
eval $JBOSS_CMD_START >${JBOSS_CONSOLE} 2>&1 &
else
$SUBIT "$JBOSS_CMD_START >${JBOSS_CONSOLE} 2>&1 &"
fi
;;
stop)
stop
;;
restart)
$0 stop
$0 start
;;
*)
echo "usage: $0 (start|stop|restart|help)"
esac
答案 1 :(得分:0)
我发现了问题:
执行命令时:
../jboss-5.0.1.GA/bin/shutdown.sh -u admin -p <password>
它查看“securityDomain”的jmx-invoker-service.xml,然后转到login-config.xml查找匹配项。
securityDomain="java:/jaas/jmx-console"/
login-config.xml配置如下所示:
<application-policy name="jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag="required">
<module-option name="usersProperties">props/jmx-console-users.properties</module-option>
<module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">base64</module-option>
</login-module>
</authentication>
然后转到jmx-console-users.properties找到已定义的用户名和passowrd。
admin=fGoYCzaJagqMAnh+6vsOTA==
属性文件中的密码使用MD5加密(明文是“password1”)。
诀窍是我必须使用明文的命令:
喜欢:../jboss-5.0.1.GA/bin/shutdown.sh -u admin -p password1
但我把这个命令放在一个带有密码
../jboss-5.0.1.GA/bin/shutdown.sh -u admin -p fGoYCzaJagqMAnh+6vsOTA==
还有两个问题:
1.有没有办法使用加密密码关机?我不希望在我的脚本中有明文密码。 2.除MD5之外的加密算法的选项是什么?任何比MD5强的算法?任何人都可以提供帮助吗?
答案 2 :(得分:0)
来自http://docs.oracle.com/javase/1.4.2/docs/guide/security/CryptoSpec.html#AppA
Message Digest Algorithms
The algorithm names in this section can be specified when generating an instance of MessageDigest.
MD2: The MD2 message digest algorithm as defined in RFC 1319.
MD5: The MD5 message digest algorithm as defined in RFC 1321.
SHA-1: The Secure Hash Algorithm, as defined in Secure Hash Standard,
NIST FIPS 180-1.
SHA-256, SHA-384, and SHA-512: New hash algorithms for which the draft Federal
Information Processing Standard 180-2, Secure Hash Standard (SHS) is now available.
SHA-256 is a 256-bit hash function intended to provide 128 bits of security against
collision attacks, while SHA-512 is a 512-bit hash function intended to provide 256
bits of security. A 384-bit hash may be obtained by truncating the SHA-512 output.
答案 3 :(得分:0)
echo -n [密码] | openssl dgst -md5 -binary | openssl base64
运行以上脚本以使用md5获取加密密码。 把它放在jmx-console-users.properties和stopServer.sh
中