Bypassing JConsole requirement for username/password - when using a Jaas custom login module with JMX to handle authorization and authentication

Question

I'm using JConsole to access an MBean that is running.

The MBean uses a custom Jaas login module and is run with the following command:

java -classpath UserLGUGroupHandlingApplication.jar;MBeanSecure.jar  -com.sun.management.jmxremote.login.config=management.properties  -Djava.security.auth.login.config=./sample_jaas.config  com.test.running.RunningImplementation 

With the management.properties file looking like this:

com.sun.management.jmxremote.access.file=jmxremote.access com.sun.management.jmxremote=true com.sun.management.jmxremote.authenticate=true com.sun.management.jmxremote.port=1234 com.sun.management.jmxremote.login.config=Sample com.sun.management.jmxremote.ssl=false com.sun.management.jmxremote.ssl.need.client.auth=false 

and the sample_jaas.config:

Sample {    test.module.AETTLoginModule required debug=true; }; 

and then a user will access this running processes by logging in through JConsole from the command line.

jconsole -debug //or just jconsole 

The user selects 'connect remotely', with RemoteProcess 'localhost:1234'

The loginmodule handles the user validation and setting of principals based on the user currently logged in to Windows, which is used to query separate authorization logic to determine the access level.

What I want to happen:

1. User enteres jconsole into cmd
2. The jconsole window opens.
3. User enters address of process e.g. "localhost:1234"
4. User does not enter username or password (since this is not required as the authorization is handled by a custom jaas login module).
5. Module determines whether the user has readwrite, readonly or no access.
6. Jconsole window for process opens, or the login fails.

The Issue:

To access the jmx process in the jconsole window I must enter a dummy username and password, e.g. U:a, P:a, otherwise I get the following error:

java.lang.SecurityException: Authentication failed! Credentials required     at com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticationFailure(JMXPluggableAuthenticator.java:193)     at com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticate(JMXPluggableAuthenticator.java:145)     at sun.management.jmxremote.ConnectorBootstrap$AccessFileCheckerAuthenticator.authenticate(ConnectorBootstrap.java:201)     at javax.management.remote.rmi.RMIServerImpl.doNewClient(RMIServerImpl.java:213)     at javax.management.remote.rmi.RMIServerImpl.newClient(RMIServerImpl.java:180)     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)     at java.lang.reflect.Method.invoke(Method.java:597)     at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:303)     at sun.rmi.transport.Transport$1.run(Transport.java:159)     at java.security.AccessController.doPrivileged(Native Method)     at sun.rmi.transport.Transport.serviceCall(Transport.java:155)     at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535)     at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790)     at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649)     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)     at java.lang.Thread.run(Thread.java:662)     at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:255)     at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:233)     at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:142)     at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source)     at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2327)     at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:277)     at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:225)     at sun.tools.jconsole.ProxyClient.tryConnect(ProxyClient.java:334)     at sun.tools.jconsole.ProxyClient.connect(ProxyClient.java:296)     at sun.tools.jconsole.VMPanel$2.run(VMPanel.java:280) 

Question

For the Jaas login module to run I need the following set:

-Dcom.sun.management.jmxremote.authenticate=true 

But, this also creates a condition in JConsole where the username and passowrd fields must be open in the field.

If this is set to false, the loginmodule is never called.

Is it possible to either extend the Jconsole functionality for a particular instance, apply a config setting, or enable a jaas login module without needing to set:

-Dcom.sun.management.jmxremote.authenticate=true 

In order to prevent the necessity of entering a username and password in the following fields highlighted below:

I'm looking for a solution similar to the one demonstrated here. But without the need for the user to enter the username or password fields.

EDIT: Also, to clarify, this would need to be done without modifying the client side JCONSOLE, so by purely using server side changes and settings.

Answer 1

Go through this link. See case 3 especially, it may help you.

***** more updates after more clarification on question asked*****************
What basically you are trying to achieve is bypass (JAAS provided) security for a particular client connection which is JCONSOLE in your case....I would suggest either:- 1) Have two ports for JMX server: secure and non-secure...use non-secure port for JCONSOLE , or
2) in case you are writing your own custom JAAS module, try to code to skip the connection for particular client in login() method-I am not sure if this is feasible because how will you know context of requesting client...