在JBoss 5.1.0.GA中保护JMXConnectorServerService(jmx-remoting.sar)

时间:2013-01-17 17:55:13

标签: security jboss jmx jboss5.x

我一直在努力了解如何保护JBoss 5.1.0.GA默认提供的JMXConnectorServerService。

目前,如果我将以下URL粘贴到JConsole中,我可以直接访问JMX而无需任何身份验证:service:jmx:rmi:/// jndi / rmi://:1290 / jmxconnector

然后我这样做是为了保护我的JMXInvoker,希望这样可以保护所有JMX访问:http://objectopia.com/2009/10/01/securing-jmx-invoker-layer-in-jboss/

但是,显然,这不适用于JMXConnectorServerService。我仍然可以通过jconsole使用上面的服务URL来访问JMX。

然后我发现了尚未适应的此功能请求:https://issues.jboss.org/browse/JBAS-8159

现在,我现在并不担心疯狂的安全措施。此URL不会暴露给外部网络。所以,我只是想看看使用“jmx-console”安全域保护jmx-remoting.sar的最简单方法是什么?

我可以切换到默认的MBean服务器,但显然,在5.1.0.GA中,这很痛苦:https://community.jboss.org/thread/153594

我真的很感激这方面的任何意见。

谢谢!

1 个答案:

答案 0 :(得分:3)

我认为服务没有得到保障,但有一个patch

对于一个稍微简单的版本,我在这里走了一段时间,因为我没有在AS 5上测试过这个,但是我将它向后传输到AS 4并且它工作正常。

我不确定你拥有哪个版本,但我们假设它是this one。 EAP版本的版本稍微复杂一些,但前提是相同的。您需要延长JMXConnectorServerServiceJMXConnectorServerServiceMBean

在此实现中,创建服务器的代码如下所示:

// create new connector server and start it
connectorServer = JMXConnectorServerFactory.newJMXConnectorServer(url, null, mbeanServer);

在您的扩展程序中,添加以下内容:

/** The name of the JAAS domain to use for authentication */
protected String jaasDomain = null; 
...
/**
   * Returns the name of the JAAS domain to use for authentication
   * @return the name of a JAAS Domain
   */
public String getJaasDomain() {
   return jaasDomain;
}

/**
  * Sets the name of the JAAS domain to use for authentication
  * @param jaasDomain the JAAS Domain to use for authentication
  */
public void setJaasDomain(String jaasDomain) {
   this.jaasDomain = jaasDomain;
}

现在您需要重新实现 start 方法,该方法会添加一个包含您要进行身份验证的JAAS域名的环境。

   public void start() throws Exception
   {
      // the address to expose in the urls
      String host = System.getProperty("java.rmi.server.hostname");

      // check to see if registry already created
      rmiRegistry = LocateRegistry.getRegistry(host, registryPort);
      if (rmiRegistry != null)
      {
         try
         {
            rmiRegistry.list();
         }
         catch(RemoteException e)
         {
            log.debug("No registry running at host '" + host +
                  "', port '" + registryPort + "'.  Will create one.");
            rmiRegistry = LocateRegistry.createRegistry(registryPort, null, new DefaultSocketFactory(bindAddress));
         }
      }
      else
      {
         rmiRegistry = LocateRegistry.createRegistry(registryPort, null, new DefaultSocketFactory(bindAddress));
      }

      String serviceURL = "service:jmx:rmi://" + host + "/jndi/rmi://" + host + ":" + registryPort + jndiPath;

      JMXServiceURL url = new JMXServiceURL(serviceURL);

      // create new connector server and start it
      // ==== NEW AUTH CODE HERE ====
      final Map<String, Object> environment = new HashMap<String, Object>();
      environment.put("jmx.remote.x.login.config", jaasDomain);
      connectorServer = JMXConnectorServerFactory.newJMXConnectorServer(url, environment, mbeanServer);
      // ==== NEW AUTH CODE ENDS ====
      connectorServer.start();

      log.info("JMX Connector server: " + serviceURL);
   }

您可以选择验证JAAS名称,如下所示:

/**
 * Validates the name of the passed JAAS domain. 
 * If the name is not valid, a RuntimeException will the thrown.
 * @param domain The name of the JAAS domain to validate.
 */
private void validateJaasDomain(String domain) {
    try {
        new LoginContext(domain);
    } catch (Exception e) {
        throw new RuntimeException("The JAAS Domain [" + domain + "] could not be loaded", e);
    }
}

将jaasDomain属性添加到新的MBean接口:

/**
 * Returns the name of the JAAS domain to use for authentication
 * @return the name of a JAAS Domain
 */
public String getJaasDomain();

/**
 * Sets the name of the JAAS domain to use for authentication
 * @param jaasDomain the JAAS Domain to use for authentication
 */
public void setJaasDomain(String jaasDomain);

假设你的新impl是 com.vijay.JMXConnectorServerService ,新的MBean是 com.vijay.JMXConnectorServerServiceMBean ;您的部署描述符将如下所示:(使用 jmx-console jaas域,因为您可能已经安全....)

<!-- ======================================================== -->
<!-- Example Vijay JMX Remoting Service Configuration file        -->
<!-- ======================================================== -->
<server>

   <mbean code="com.vijay.JMXConnectorServerService"
      name="jboss.remoting:service=JMXConnectorServer,protocol=rmi"
      display-name="JMX Connector Server (RMI)">
           <attribute name="BindAddress">
               <!-- Get the port from the ServiceBindingManager -->
               <value-factory bean="ServiceBindingManager" method="getStringBinding" 
                  parameter="jboss.remoting:service=JMXConnectorServer,protocol=rmi"/>
            </attribute>
            <!-- if comment this out, will use 1099 as default and will conflict -->
            <!-- with default JNP (JNDI) port. -->
            <attribute name="RegistryPort">
               <!-- Get the port from the ServiceBindingManager -->
               <value-factory bean="ServiceBindingManager" method="getIntBinding" 
                  parameter="jboss.remoting:service=JMXConnectorServer,protocol=rmi"/>
            </attribute>
            <!-- the path to which will be bound in rmi registry -->
            <!-- the commented value below is the default. -->
            <!-- <attribute name="JndiPath">/jmxconnector</attribute> -->
            <attribute name="JaasDomain">jmx-console</attribute>
   </mbean>
</server>

这就是我的全部。我希望它对你有用。

相关问题
最新问题