Java Dynamic Management Kit 5.0 Tutorial

Password-Based Authentication

The simplest form of agent security is to accept management requests only if they contain a valid login identity and password. Agents recognize a given list of login-password pairs, and managers must provide a matching login and password when they try to establish a connection.

In the , only the HTTP–based connectors support password–based authentication. The SNMP protocol adaptor also supports access control, but it is based on a different mechanism (see IP-Based Access Control Lists).

By default, no authentication is enabled in the HTTP-based connectors and any manager can establish a connection. The password-checking behavior is enabled by defining the list of authorized login-password pairs.

You can define this authentication information in one of the following ways:

In both cases, only the agent application has access to these methods, meaning that the agent controls the authentication mechanism. As soon as an AuthInfo object is added to the connector server through either method, all incoming requests must provide a recognized name and password. In our example, we read the authentication information from the command line and call the addUserAuthenticationInfo.

Example 13–1 Implementing Password Authentication in the HTTP Connector Server

// Here we show the code for reading the
// id-password pairs from the command line
int firstarg = 0;
boolean doAuthentication = (args.length > firstarg);

AuthInfo[] authInfoList;

if (doAuthentication) {
    authInfoList = new AuthInfo[(args.length - firstarg) / 2];
    for (int i = firstarg, j = 0; i < args.length; i += 2, j++)

        authInfoList[j] = new AuthInfo(args[i], args[i + 1]);

} else

    authInfoList = null;

[...] // instantiate and register an HTTP connector server

// Define the authentication list
if (doAuthentication) {
    for (int i = 0; i < authInfoList.length; i++)

On the manager-side, identifiers and passwords are given in the address object, because authentication applies when the connection is established.

Example 13–2 Specifying the Login and Password in the HTTP Connector Server

// login and password were read from the command line
AuthInfo authInfo = null;

if (login != null) {
    authInfo = new AuthInfo( login, password );

// agentHost and agentPort are read from the command
// line or take on default values
HttpConnectorAddress addr =
    new HttpConnectorAddress(
        agentHost, agentPort, authInfo );

final RemoteMBeanServer connector =
    (RemoteMBeanServer) new HttpConnectorClient();

connector.connect( addr );

The connector is identified by the one AuthInfo object it uses to instantiate the connector address. If the agent has authentication enabled, both the login and the password must match one of the AuthInfo objects in the agent. If the agent does not perform authentication, providing a login and password has no effect because all connections are accepted.

If the authentication fails, the call to the connect method returns an exception. Normally, the client's code should catch this exception to handle this error case.

As demonstrated by the code examples, the authentication mechanism is very simple to configure. It prevents unauthorized access with very little overhead.

Note –

The HTML adaptor provides a similar authentication mechanism, where the list of accepted identities is given to the server object. In the case of the HTML protocol, the web browser is the management application that must provide a login and password. The behavior is browser-dependent, but the browser usually requests that the user type this login and password in a dialog box.

Running the Example With Authentication

The examplesDir/Context directory contains the applications that demonstrate the use of password authentication through the HTTP connector.

To Run the Example With Authentification
  1. Compile all files in this directory with the javac command.

    For example, on the Solaris platform with the Korn shell, type:

    $ cd examplesDir/Context/
    $ javac -classpath classpath *.java
  2. Start the agent in a terminal window and specify a list of login-password pairs, as in the following command:

    $ java -classpath classpath ContextAgent  jack jill  billy bob
  3. Wait for the agent to be completely initialized, then start the manager in another window with the following command:

    $ java -classpath classpath ContextClient -ident andy bob

    The client application tries to establish a connection with the login andy and the password bob. The authentication mechanism refuses the connection, and the com.sun.jdmk.comm.UnauthorizedSecurityException is raised by the connector server.

  4. Start the manager again, this time with a valid identity:

    $ java -classpath classpath ContextClient -ident jack jill

    The connection is established and the output from management operation is displayed in both windows.

  5. Leave both applications running for the next example.