I'm using JConsole to access an MBean that is running.
The MBean uses a custom Jaas login module and is run with the following command:
java -classpath UserLGUGroupHandlingApplication.jar;MBeanSecure.jar -com.sun.management.jmxremote.login.config=management.properties -Djava.security.auth.login.config=./sample_jaas.config com.test.running.RunningImplementation
With the management.properties file looking like this:
com.sun.management.jmxremote.access.file=jmxremote.access com.sun.management.jmxremote=true com.sun.management.jmxremote.authenticate=true com.sun.management.jmxremote.port=1234 com.sun.management.jmxremote.login.config=Sample com.sun.management.jmxremote.ssl=false com.sun.management.jmxremote.ssl.need.client.auth=false
and the sample_jaas.config:
Sample { test.module.AETTLoginModule required debug=true; };
and then a user will access this running processes by logging in through JConsole from the command line.
jconsole -debug //or just jconsole
The user selects 'connect remotely', with RemoteProcess 'localhost:1234'
The loginmodule handles the user validation and setting of principals based on the user currently logged in to Windows, which is used to query separate authorization logic to determine the access level.
What I want to happen:
The Issue:
To access the jmx process in the jconsole window I must enter a dummy username and password, e.g. U:a, P:a, otherwise I get the following error:
java.lang.SecurityException: Authentication failed! Credentials required at com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticationFailure(JMXPluggableAuthenticator.java:193) at com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticate(JMXPluggableAuthenticator.java:145) at sun.management.jmxremote.ConnectorBootstrap$AccessFileCheckerAuthenticator.authenticate(ConnectorBootstrap.java:201) at javax.management.remote.rmi.RMIServerImpl.doNewClient(RMIServerImpl.java:213) at javax.management.remote.rmi.RMIServerImpl.newClient(RMIServerImpl.java:180) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:303) at sun.rmi.transport.Transport$1.run(Transport.java:159) at java.security.AccessController.doPrivileged(Native Method) at sun.rmi.transport.Transport.serviceCall(Transport.java:155) at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918) at java.lang.Thread.run(Thread.java:662) at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:255) at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:233) at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:142) at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source) at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2327) at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:277) at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:225) at sun.tools.jconsole.ProxyClient.tryConnect(ProxyClient.java:334) at sun.tools.jconsole.ProxyClient.connect(ProxyClient.java:296) at sun.tools.jconsole.VMPanel$2.run(VMPanel.java:280)
Question
For the Jaas login module to run I need the following set:
-Dcom.sun.management.jmxremote.authenticate=true
But, this also creates a condition in JConsole where the username and passowrd fields must be open in the field.
If this is set to false, the loginmodule is never called.
Is it possible to either extend the Jconsole functionality for a particular instance, apply a config setting, or enable a jaas login module without needing to set:
-Dcom.sun.management.jmxremote.authenticate=true
In order to prevent the necessity of entering a username and password in the following fields highlighted below:
I'm looking for a solution similar to the one demonstrated here. But without the need for the user to enter the username or password fields.
EDIT: Also, to clarify, this would need to be done without modifying the client side JCONSOLE, so by purely using server side changes and settings.
In the Connect to Agent tab of JConsole, enter user name, password, host name and port (8686, by default). The user name refers to the admin user name and password refers to the admin password of the domain.
The jmxremote. access file defines the allowed access for different roles and the jmxremote. password file defines the roles and their passwords. To be functional, a role must have an entry in both the password and the access files.
By default, JMX is only locally accessible and secure: It can be accessed through Unix sockets. This means you need to have access to the machine and run JMX tools with the same user as your application. It's usually enough for development but not for production.
Go through this link. See case 3 especially, it may help you.
***** more updates after more clarification on question asked*****************
What basically you are trying to achieve is bypass (JAAS provided) security for a particular client connection which is JCONSOLE in your case....I would suggest either:- 1) Have two ports for JMX server: secure and non-secure...use non-secure port for JCONSOLE , or
2) in case you are writing your own custom JAAS module, try to code to skip the connection for particular client in login() method-I am not sure if this is feasible because how will you know context of requesting client...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With