Announcement Announcement Module
Collapse
No announcement yet.
enable authentication with ConnectorServerFactoryBean Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • enable authentication with ConnectorServerFactoryBean

    I need to use ConnectorServerFactoryBean to create the mbeanserver because I need to access jmx behind a firewall, and cannot have the random port thing going.

    I set that up with this:
    <bean id="mbeanServer" class="org.springframework.jmx.support.MBeanServer FactoryBean">
    <!-- indicate to first look for a server -->
    <property name="locateExistingServerIfPossible" value="true"/>
    </bean>

    <bean id="serverConnector"
    class="org.springframework.jmx.support.ConnectorSe rverFactoryBean" destroy-method="destroy">
    <property name="objectName" value="connector:name=rmi"/>
    <property name="serviceUrl"
    value="service:jmx:rmi://localhost:8100/jndi/rmi://localhost:8335/server"/>
    <property name="server" ref="mbeanServer"/>
    </bean>

    Is there a way that I can enable authentication for this set up? I took a look at acegi and didn't see how I would integrate that. Can I set properties on the ConnectorServerFactoryBean which will enable authentication?

    Any ideas would be much appreciated?

    Thanks,
    Craig

  • #2
    Yes you can - just use the normal/standard way which is specifying some properties on the ConnectorFactoryBean:

    <!-- create the server connector -->
    <bean id="serverConnector" ...
    <property name="environment">
    <prop key="java.naming.security.principal">someUser</prop>
    <prop key="java.naming.security.credentials">somePasswor d</prop>
    </property>
    </bean>
    And btw, you don't have to specify the destroy method - the FactoryBean implements the DisposableBean interface so the method is called automatically by the container.

    Comment


    • #3
      I tried what you said specifying those environment variables, but was able to connect with jconsole without specifying credentials.

      Here is command i used to connect via jconsole:
      jconsole service:jmx:rmi://localhost:8100/jndi/rmi://localhost:8335/server

      Here are what I believe are interesting parts of my set up.

      Any help is much appreciated.

      craig

      <bean id="registry" class="org.springframework.remoting.rmi.RmiRegistr yFactoryBean">
      <property name="port" value="8335"/>
      </bean>

      <bean id="mbeanServer" class="org.springframework.jmx.support.MBeanServer FactoryBean">
      <property name="locateExistingServerIfPossible" value="true"/>
      </bean>

      <bean id="serverConnector"
      class="org.springframework.jmx.support.ConnectorSe rverFactoryBean" >
      <property name="objectName" value="connector:name=rmi"/>
      <property name="server" ref="mbeanServer"/>
      <property name="serviceUrl" value="service:jmx:rmi://localhost:8100/jndi/rmi://localhost:8335/server" />
      <property name="environment">
      <props>
      <prop key="java.naming.security.principal">user</prop>
      <prop key="java.naming.security.credentials">pass</prop>
      </props>
      </property>
      </bean>

      Comment


      • #4
        My bad, those variables are used when connecting to the server from a client (not when creating a server connector). To enable security for JDK implementation take a look at the samples provided with the JDK - the parameters you're interested in are:
        Code:
        -Dcom.sun.management.jmxremote.ssl=true       -Dcom.sun.management.jmxremote.authenticate=true
        JAAS is used by default and the examples are good in showing how to setup everything.

        Comment


        • #5
          I don't think it works that way. The wrinkle is I have to set up the server connector within Spring, because I need to hard code the port the rmi server uses. Otherwise it picks random ports, and that is a problem when outside a firewall.

          i need to do this, and then can open those two ports on the firewall.
          <property name="serviceUrl" value="service:jmx:rmi://localhost:8100/jndi/rmi://localhost:8335/server" />

          I believe the system properties are only used when the jre sets up the mbean server. If I set up the serverconnector within spring they are ignored. All I need to do is specify that service url within jconsole, and it connects - whether i have the authentication flag system property set or not.

          How have others solved this? Seems like a normal use case, needing to access a tomcat instance from behind a firewall with authentication.

          Should I be looking at tunneling via ssh instead of the holes in the firewall...and let ssh worry about authentication? Should I be using another transport other than RMI? Can acegi get in the mix here? Does mc4j handle this any better?

          Lots of questions, any suggestions would be much appreciated.

          craig

          Comment


          • #6
            server connector

            This is my server connector config (took me a while to find it):

            Code:
            	<bean id="serverConnector"
            		class="org.springframework.jmx.support.ConnectorServerFactoryBean"
            		depends-on="registry">
            		<!-- property name="objectName" value="connector:name=rmi" / -->
            		<property name="serviceUrl"
            			value="service:jmx:rmi://localhost/jndi/rmi://localhost:1099/myconnector" />
            		<property name="environment">
            		<!-- the following is only valid when the sun jmx implementation is used -->
            			<map>
            				<entry key="jmx.remote.x.password.file" value="etc/security/jmxremote.password"/>
            				<entry key="jmx.remote.x.access.file" value="etc/security/jmxremote.access"/>
            			</map>
            		</property>
            	</bean>
            The passwd and access file follow the templates that can be found in the C:\jdk1.5.0_03\jre\lib\management folder.

            hope this helps

            Comment


            • #7
              that did the trick. thanks a lot for the help, spent a lot of time trying to figure that out, and ended up disabling jmx until you pointed me on correct path.

              Comment

              Working...
              X