Announcement Announcement Module
Collapse
No announcement yet.
Spring JMX and OC4J/10g r3, Unauthorized access from application Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring JMX and OC4J/10g r3, Unauthorized access from application

    Anyone managed to use the mbean exporter in Spring to create MBeans in the OC4J MBeanServer?

    The same thing works no problem in JBoss.

    I'm getting the following.

    java.lang.SecurityException: Unauthorized access from application: ice-crem to MBean: java.lang:type=ClassLoading
    at oracle.oc4j.admin.jmx.shared.UserMBeanServer.check RegisterAccess(UserMBeanServer.java:873)
    at oracle.oc4j.admin.jmx.shared.UserMBeanServer.regis terMBean(UserMBeanServer.java:400)
    at oracle.oc4j.admin.jmx.server.state.LocalizationFil terMBeanServer.registerMBean(LocalizationFilterMBe anServer.java:341)
    at sun.management.ManagementFactory$1.run(ManagementF actory.java:240)
    at java.security.AccessController.doPrivileged(Native Method)

  • #2
    I got this exception using the "autodetect=true" property from MBeanExporter. There is still an issue, I don,t know if from Spring side or OC4J. I workarounded it using autodetect=false and explicitly defining my MBeans with
    Code:
     		<property name="beans">
    	      <map>
    	        <entry key=":name=theBeanName" value-ref="theBean"/>
    	      </map>
    	    </property>

    take look in this post

    Comment


    • #3
      Umm....nope. Still get error.

      Looks like yet another special "feature" in an Oracle product.

      I am pretty sure that I also don't want to define my own MBeanServer. I want to use JMX as the communication mechanism between components deployed into OC4J/10gR3.

      I'll give that a try anyway, i.e. deploying own MBeanServer.

      I'm also not specifying the VM startup params for JMX, i.e. where the JDK starts an MBeanServer since I figure that I want to communicate with the one started by OC4J/10gR3.

      Anyone?

      Comment


      • #4
        reference the oc4j MBeanServer

        You can also try adding a default domain to your "application" MBeans

        <bean id="MBeanServer"
        class="org.springframework.jmx.support.MBeanServer FactoryBean">
        <property name="defaultDomain" value="PetClinic"/>
        </bean>

        JIM

        Comment


        • #5
          Did you ever get something working in 10gAS R3? If so could you a post a summary of the solution here?

          I'm trying to do the same thing. My JMX beans work fine under JBoss, but under 10gAS R3 I get:

          oracle.oc4j.admin.internal.DeployerException: org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name 'exporter' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Initialization of bean failed; nested exception is org.springframework.jmx.MBeanServerNotFoundExcepti on: Unable to locate an MBeanServer instance
          07/02/21 10:56:39 at oracle.oc4j.admin.internal.WebApplicationBinder.bi ndWebApp(WebApplicationBinder.java:214)
          07/02/21 10:56:39 at oracle.oc4j.admin.internal.WebApplicationBinder.bi ndWebApp(WebApplicationBinder.java:96)
          07/02/21 10:56:39 at oracle.oc4j.admin.internal.ApplicationDeployer.bin dWebApp(ApplicationDeployer.java:541)
          07/02/21 10:56:39 at oracle.oc4j.admin.internal.ApplicationDeployer.doD eploy(ApplicationDeployer.java:197)
          07/02/21 10:56:39 at oracle.oc4j.admin.internal.DeployerBase.execute(De ployerBase.java:93)
          07/02/21 10:56:39 at oracle.oc4j.admin.jmx.server.mbeans.deploy.OC4JDep loyerRunnable.doRun(OC4JDeployerRunnable.java:52)
          07/02/21 10:56:39 at oracle.oc4j.admin.jmx.server.mbeans.deploy.Deploye rRunnable.run(DeployerRunnable.java:81)
          07/02/21 10:56:39 at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Wo rker.run(PooledExecutor.java:819)
          07/02/21 10:56:39 at java.lang.Thread.run(Thread.java:595)

          Looking at the Oracle AS documentation, applications have to call MBeanServerFactory.newBeanServer() with no specified domain. The applications can only use the default domain of this server instance to register beans, otherwise it throws a Security Exception. This domain is the application's "namespace", entered when deploying a .war/.ear file using the 10gAS Enterprise Manager deployment screens.

          Comment


          • #6
            I've solved this myself, so I'll post the solution here that might be of interest to others. Another issue I had is that I need one application context configuration to work under both JBoss and 10gAS.

            Using the MBeanServerFactoryBean with locateExistingServerIfPossible set to true solves the MBeanServer instantiation issue (but still works on JBoss).

            To get around the domain security problem, register beans with no domain (it will then use the default domain). For example, I have defined "jmx.domain" in an external property file. For JBoss, this needs to be set to something descriptive and unique. For 10gAS, this setting needs to be blank.

            My application context looks like:

            Code:
            <bean id="mbeanserver" class="org.springframework.jmx.support.MBeanServerFactoryBean">
              <property name="locateExistingServerIfPossible" value="true"/>
            </bean>
             
            <bean id="exporter" class="org.springframework.jmx.export.MBeanExporter" lazy-init="false">
              <property name="server" ref="mbeanserver"/>
              <property name="beans">
                <map>
                  <entry key="${jmx.domain}:name=Monitoring" value-ref="monitoring"/>
                  <entry key="${jmx.domain}:name=Caching" value-ref="caching"/>
                  <entry key="${jmx.domain}:name=Configuration" value-ref="configuration"/>
                </map>
              </property>
            </bean>
            I can confirm this works under JBoss 4.0.4 and Oracle 10g R3 AS (10.1.3.0.0)

            Comment


            • #7
              By the way, my solution listed in my last post works in Spring 1.2.5, but not in Spring 2.0.2. The issue is that Spring 2.x falls back to attempting to use the Java SE 5 Platform MBeanServer, before deciding to create a new MBeanServer. This throws a security exception.

              Comment


              • #8
                Uh!

                This is bad - JMX is on my task list in the next week - and guess what "favorite" AppServer we are using: OC4J ...


                Any news on this?

                Comment


                • #9
                  Originally posted by ArtMotion View Post
                  This is bad - JMX is on my task list in the next week - and guess what "favorite" AppServer we are using: OC4J ...


                  Any news on this?
                  I reported the Spring 2.0.2 issue as a fault (SPR-3226) which Juergen very promptly fixed in Spring 2.0.3.

                  Another "gotcha" I found - in 10gAS the default MBean domain applies to an entire application (.ear file) not per .war/.jar (inside a single .ear file). So if you have MBeans with the same name you will need to add a suffix to make the name unique

                  Comment


                  • #10
                    Are you using the magic command...

                    -Doc4j.jmx.security.proxy.off=true

                    as a VM argument.

                    Comment


                    • #11
                      Originally posted by gmatthews View Post
                      Are you using the magic command...

                      -Doc4j.jmx.security.proxy.off=true

                      as a VM argument.

                      I had similar problem and this command was the solution. Tnks

                      Comment


                      • #12
                        What's the alternative to using the command line? thanks. Is there something that needs to be done on the deployment descriptor or security settings?

                        Comment


                        • #13
                          Just guessing, but since it's just a -D param, you could possibly also set it programmatically, e.g. System.getProperties().put("oc4j.jmx.security.prox y.off", "true");

                          however haven't tried that, and not sure if it would work -- depends on how early in the startup process you manage to programmatically set it.

                          Comment


                          • #14
                            I tried something like that via OC4J enterprise manager, but I think it's too late at that point.

                            I want to avoid disabling that security feature if possible, but not sure how to configure spring to login to the JMX Bean server.
                            Last edited by bchi49; Jun 11th, 2009, 08:20 PM.

                            Comment

                            Working...
                            X