Java Dynamic Management Kit 5.1 Tutorial

11.3.1 RMI Connector With Fine-Grained Security

You can find an example of an RMI connector with fine-grained security in the directory examplesDir/current/Security/rmi/fine_grained.

The Server class used in this example is very similar to the one used in the RMI connector example with simple security. The only difference is that there is no access.properties file to map into the environment map in the fine-grained example. This was omitted so as not to make the example overly complicated. Otherwise, all the other classes and files used in this example are the same as those used in 11.1.1 RMI Connectors With Simple Security, with the exception of the java.policy file, which is shown below.


Example 11–7 A java.policy File for an RMI Connector With Fine-Grained Security

grant codeBase "file:installDir/lib/jmx.jar" {
    permission java.security.AllPermission;
};

grant codeBase "file:installDir/lib/jmxremote.jar" {
    permission java.security.AllPermission;
};

grant codeBase "file:server" {
    permission java.security.AllPermission;
};

grant codeBase "file:mbeans" {
    permission javax.management.MBeanTrustPermission "register";
};

grant principal javax.management.remote.JMXPrincipal "username" {
    permission javax.management.MBeanPermission "*", "getDomains";
    permission javax.management.MBeanPermission 
             "SimpleStandard#-[-]",  "instantiate";
    permission javax.management.MBeanPermission 
             "SimpleStandard#-[MBeans:type=SimpleStandard]", 
             "registerMBean";
    permission javax.management.MBeanPermission 
             "SimpleStandard#State[MBeans:type=SimpleStandard]", 
             "getAttribute";
    permission javax.management.MBeanPermission 
             "SimpleStandard#State[MBeans:type=SimpleStandard]", 
             "setAttribute";
    permission javax.management.MBeanPermission 
             "SimpleStandard#-[MBeans:type=SimpleStandard]", 
             "addNotificationListener";
    permission javax.management.MBeanPermission 
             "SimpleStandard#reset[MBeans:type=SimpleStandard]", 
             "invoke";
    permission javax.management.MBeanPermission 
              "SimpleStandard#-[MBeans:type=SimpleStandard]", 
              "removeNotificationListener";
    permission javax.management.MBeanPermission 
              "SimpleStandard#-[MBeans:type=SimpleStandard]", 
              "unregisterMBean";
    permission javax.management.MBeanPermission 
              "javax.management.MBeanServerDelegate#
              -[JMImplementation:type=MBeanServerDelegate]", 
              "addNotificationListener";
    permission javax.management.MBeanPermission 
              "javax.management.MBeanServerDelegate#
              -[JMImplementation:type=MBeanServerDelegate]", 
              "removeNotificationListener";
};

The java.policy file shown in Example 11–7 grants the following permissions:

To Run the RMI Connector Example With Fine-Grained Security

Run this example from within the examplesDir/current/Security/rmi/fine_grained directory.

  1. Compile the example classes.


    $ javac -classpath classpath \
          mbeans/SimpleStandard.java \
          mbeans/SimpleStandardMBean.java \
          server/Server.java \
          client/Client.java \
          client/ClientListener.java
    
  2. Start an RMI registry on port 9999 of the local host.


    $ export CLASSPATH=server:classpath ; rmiregistry 9999 &
    
  3. Create a java.policy file from the java.policy.template file in the config directory.

    You must replace @INSTALL_HOME_FOR_JDMK@ with your installDir.

  4. Start the Server.

    You need to provide the Server with a pointer to the SSL keystore, the SSL password, the JAAS security manager and the java.policy file when you start the Server class.


    $ java -classpath server:mbeans:classpath \
         -Djavax.net.ssl.keyStore=config/keystore \
         -Djavax.net.ssl.keyStorePassword=password \
         -Djava.security.manager \
         -Djava.security.policy=config/java.policy Server &
    

    You will see confirmation of the initialization of the environment map, the creation of the MBean server and of the RMI connector.

  5. Start the Client.

    Again, the Client requires the SSL truststore and its password when it is launched.


    $ java -classpath client:server:mbeans:classpath \
         -Djavax.net.ssl.trustStore=config/truststore \
         -Djavax.net.ssl.trustStorePassword=trustword \
         Client
    

    You will see confirmation of the creation of the connector client, the connection to the RMI server and the various MBean operations followed by the closure of the connection.