You can find an example of an RMI connector with fine-grained security in the directory examplesDir/current/Security/rmi/fine_grained.
The Server class used in this example is very similar to the one used in the RMI connector example with simple security. The only difference is that there is no access.properties file to map into the environment map in the fine-grained example. This was omitted so as not to make the example overly complicated. Otherwise, all the other classes and files used in this example are the same as those used in 11.1.1 RMI Connectors With Simple Security, with the exception of the java.policy file, which is shown below.
grant codeBase "file:installDir/lib/jmx.jar" { permission java.security.AllPermission; }; grant codeBase "file:installDir/lib/jmxremote.jar" { permission java.security.AllPermission; }; grant codeBase "file:server" { permission java.security.AllPermission; }; grant codeBase "file:mbeans" { permission javax.management.MBeanTrustPermission "register"; }; grant principal javax.management.remote.JMXPrincipal "username" { permission javax.management.MBeanPermission "*", "getDomains"; permission javax.management.MBeanPermission "SimpleStandard#-[-]", "instantiate"; permission javax.management.MBeanPermission "SimpleStandard#-[MBeans:type=SimpleStandard]", "registerMBean"; permission javax.management.MBeanPermission "SimpleStandard#State[MBeans:type=SimpleStandard]", "getAttribute"; permission javax.management.MBeanPermission "SimpleStandard#State[MBeans:type=SimpleStandard]", "setAttribute"; permission javax.management.MBeanPermission "SimpleStandard#-[MBeans:type=SimpleStandard]", "addNotificationListener"; permission javax.management.MBeanPermission "SimpleStandard#reset[MBeans:type=SimpleStandard]", "invoke"; permission javax.management.MBeanPermission "SimpleStandard#-[MBeans:type=SimpleStandard]", "removeNotificationListener"; permission javax.management.MBeanPermission "SimpleStandard#-[MBeans:type=SimpleStandard]", "unregisterMBean"; permission javax.management.MBeanPermission "javax.management.MBeanServerDelegate# -[JMImplementation:type=MBeanServerDelegate]", "addNotificationListener"; permission javax.management.MBeanPermission "javax.management.MBeanServerDelegate# -[JMImplementation:type=MBeanServerDelegate]", "removeNotificationListener"; };
The java.policy file shown in Example 11–7 grants the following permissions:
All permissions to the server codebase, so that the connector server can create the connectors, and then perform the operations requested by remote user calls
MBeanTrustPermission to the mbeans codebase, allowing trusted MBeans to register in the MBean server
Permission to perform the various MBean and MBean server operations defined by the SimpleStandard MBean, for the user represented by a JMXPrincipal named username.
Run this example from within the examplesDir/current/Security/rmi/fine_grained directory.
Compile the example classes.
$ javac -classpath classpath \ mbeans/SimpleStandard.java \ mbeans/SimpleStandardMBean.java \ server/Server.java \ client/Client.java \ client/ClientListener.java |
Start an RMI registry on port 9999 of the local host.
$ export CLASSPATH=server:classpath ; rmiregistry 9999 & |
Create a java.policy file from the java.policy.template file in the config directory.
You must replace @INSTALL_HOME_FOR_JDMK@ with your installDir.
Start the Server.
You need to provide the Server with a pointer to the SSL keystore, the SSL password, the JAAS security manager and the java.policy file when you start the Server class.
$ java -classpath server:mbeans:classpath \ -Djavax.net.ssl.keyStore=config/keystore \ -Djavax.net.ssl.keyStorePassword=password \ -Djava.security.manager \ -Djava.security.policy=config/java.policy Server & |
You will see confirmation of the initialization of the environment map, the creation of the MBean server and of the RMI connector.
Start the Client.
Again, the Client requires the SSL truststore and its password when it is launched.
$ java -classpath client:server:mbeans:classpath \ -Djavax.net.ssl.trustStore=config/truststore \ -Djavax.net.ssl.trustStorePassword=trustword \ Client |
You will see confirmation of the creation of the connector client, the connection to the RMI server and the various MBean operations followed by the closure of the connection.