Java Dynamic Management Kit 5.1 Tutorial

23.1 Password-Based Authentication (Legacy Connectors)

The simplest form of agent security you can implement in the legacy connectors is to accept management requests only if they contain a valid login identity and password. Agents recognize a given list of login-password pairs, and managers must provide a matching login and password when they try to establish a connection.

Among the legacy connectors, only the HTTP–based connectors support password–based authentication. However, both the new remote method invocation (RMI) and JMX messaging protocol (JMXMP) connectors added in Java DMK 5.1 support password-based authentication. The SNMP protocol adaptor also supports access control, but it is based on a different mechanism (see 19.1 IP-Based Access Control Lists).

By default, no authentication is enabled in the HTTP-based legacy connectors and any manager can establish a connection. The password-checking behavior is enabled by defining the list of authorized login-password pairs.

You can define this authentication information in one of the following ways:

Through the constructor that takes an AuthInfo array parameter:HttpConnectorServer(int port, AuthInfo[] authInfoList)
Through the methods inherited from the GenericHttpConnectorServer class:addUserAuthenticationInfo(AuthInfo authinfo)removeUserAuthenticationInfo(AuthInfo authinfo)

In both cases, only the agent application has access to these methods, meaning that the agent controls the authentication mechanism. As soon as an AuthInfo object is added to the connector server through either method, all incoming requests must provide a recognized name and password. In our example, we read the authentication information from the command line and call the addUserAuthenticationInfo.

Example 23–1 Implementing Password Authentication in the Legacy HTTP Connector Server

// Here we show the code for reading the
// id-password pairs from the command line
//
int firstarg = 0;
boolean doAuthentication = (args.length > firstarg);

AuthInfo[] authInfoList;

if (doAuthentication) {
    authInfoList = new AuthInfo[(args.length - firstarg) / 2];
    for (int i = firstarg, j = 0; i < args.length; i += 2, j++)

        authInfoList[j] = new AuthInfo(args[i], args[i + 1]);

} else

    authInfoList = null;

[...] // instantiate and register an HTTP connector server

// Define the authentication list
// 
if (doAuthentication) {
    for (int i = 0; i < authInfoList.length; i++)
        http.addUserAuthenticationInfo(authInfoList[i]);
}

On the manager-side, identifiers and passwords are given in the address object, because authentication applies when the connection is established.

Example 23–2 Specifying the Login and Password in the Legacy HTTP Connector Server

// login and password were read from the command line
//
AuthInfo authInfo = null;

if (login != null) {
    authInfo = new AuthInfo( login, password );
}

// agentHost and agentPort are read from the command
// line or take on default values
//
HttpConnectorAddress addr =
    new HttpConnectorAddress(
        agentHost, agentPort, authInfo );

final RemoteMBeanServer connector =
    (RemoteMBeanServer) new HttpConnectorClient();

connector.connect( addr );

The connector is identified by the one AuthInfo object it uses to instantiate the connector address. If the agent has authentication enabled, both the login and the password must match one of the AuthInfo objects in the agent. If the agent does not perform authentication, providing a login and password has no effect because all connections are accepted.

If the authentication fails, the call to the connect method returns an exception. Normally, the client's code should catch this exception to handle this error case.

As demonstrated by the code examples, the authentication mechanism is very simple to configure. It prevents unauthorized access with very little overhead.

Note –

The HTML adaptor provides a similar authentication mechanism, where the list of accepted identities is given to the server object. In the case of the HTML protocol, the web browser is the management application that must provide a login and password. The behavior is browser-dependent, but the browser usually requests that the user type this login and password in a dialog box.

23.1.1 Running the Legacy Security Example With Authentication

The examplesDir/legacy/Context directory contains the applications that demonstrate the use of password authentication through the legacy HTTP connector.

To Run the Legacy Security Example With Authentification

Compile all files in this directory with the javac command.

For example, on the Solaris platform with the Korn shell, type:
$ cd examplesDir/legacy/Context/ $ javac -classpath classpath *.java

Start the agent in a terminal window and specify a list of login-password pairs, as in the following command:
$ java -classpath classpath ContextAgent jack jill billy bob

Wait for the agent to be completely initialized, then start the manager in another window with the following command:
$ java -classpath classpath ContextClient -ident andy bob
The client application tries to establish a connection with the login andy and the password bob. The authentication mechanism refuses the connection, and the com.sun.jdmk.comm.UnauthorizedSecurityException is raised by the connector server.

Start the manager again, this time with a valid identity:
$ java -classpath classpath ContextClient -ident jack jill
The connection is established and the output from management operation is displayed in both windows.

Leave both applications running for the next example.