Announcement Announcement Module
Collapse
No announcement yet.
JMX Authentication with Spring Security (3.1.x) Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • JMX Authentication with Spring Security (3.1.x)

    Hi,

    I have a JMX server configured without Spring and am trying to implement Spring Security for the Authorization part.
    (See here, https://blogs.oracle.com/lmalventosa..._authorization
    Use Case 4, without the Authorization part)

    I would like now to implement the Authorization part using Spring Security.

    In my JMX authenticator, I do:

    Code:
    final List<GrantedAuthority> roles = new ArrayList<GrantedAuthority>();
    roles.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
    final Authentication auth = new UsernamePasswordAuthenticationToken(credentialsArr[0], credentialsArr[1],
    						roles);
    SecurityContextHolder.getContext().setAuthentication(auth);
    And in the MBeans I try to fetch it and see that it has been passed correctly (in the future I plan to add Spring Annotations to check for roles, for method invocation).

    Code:
    final Authentication springAuth = SecurityContextHolder.getContext().getAuthentication();
    The problem is, that in the standard connection flow:
    Code:
    JMXServiceURL url = ...;
    Map env = ...;
    String[] creds = {"monitorRole", "mrpasswd", "FileRealm"};
    env.put(JMXConnector.CREDENTIALS, creds);
    JMXConnector cc = JMXConnectorFactory.connect(url, env);
    MBeanServerConnection mbsc = cc.getMBeanServerConnection();
    I get a JMX connector, then connect to the MBean server and invoke a method - it works.
    I get through the authenticator, set the Spring Context and get it in the Mbean.

    But when I connect using a Jconsole, for example, I don't get the Spring Context in the Mbean.

    I am using the Inheritable Thread strategy.

    1. Is there a way to get the context also in the MBean, when connecting using the JConsole and other connectors?
    2. If I implement JMX using Spring, will it help me to solve the problem?
    3. Is my main flow fool proof (is there a chance I will not get the Context in the MBean)? I am asking this, since this flow is critical to me, to be fool proof.


    Thanks a lot!

  • #2
    Guys, would be happy to get an answer, if someone knows.


    Thanks!

    Comment


    • #3
      check my solution http://forum.springsource.org/showth...ver-(JConsole)

      Comment


      • #4
        Originally posted by wims.tijd View Post
        Thanks a lot!
        I have actually seen this solution, but I was wondering if there is another way (something that isn't a workaround to make Spring to work).

        I have a question, though, regarding this solution:
        Why do you keep a registry? Why don't you use the Authentication object you pass in the Subject?


        Thanks a lot again!

        Comment


        • #5
          Originally posted by northernpole View Post
          Thanks a lot!
          I have actually seen this solution, but I was wondering if there is another way (something that isn't a workaround to make Spring to work).

          I have a question, though, regarding this solution:
          Why do you keep a registry? Why don't you use the Authentication object you pass in the Subject?


          Thanks a lot again!
          May I also add an additional question:
          How do you define a pointcut on the MBeanServer invoke method that actually works?
          The code you suggested doesn't work with pure Spring AOP, unfortunately.

          Thanks!

          Comment


          • #6
            @northernpole

            I kept a registry to hold on to the authenticated Authentication for subsequent calls,
            this was a quick way, there can be other logic of course;

            For the aop advice : have to defined ?

            Code:
            <context:mbean-server id="jmx.server"/>

            Comment


            • #7
              Thanks a lot for this solution @wims.tijd. It works well.
              However, is there a way other than using aspectJ for authorization.

              Thanks again.

              Comment

              Working...
              X