13 Security
This chapter gives examples of how to set up the JMX technology security features, as described in the following sections:
- Simple Security presents examples of connectors that implement straightforward security that is based on password authentication and file access control.
- Fine-Grained Security presents examples of connectors that implement more sophisticated security mechanisms, in which permission to perform individual operations is controlled.
Note:
The Subject Delegation feature has been removed. If your client application needs to perform operations as, or on behalf of, multiple identities, it will need to make multiple calls toJMXConnectorFactory.connect() and to the
getMBeanServerConnection() method on the returned
JMXConnector.
WARNING:
The Security Manager and APIs related to it have been deprecated and are subject to removal in a future release. There is no replacement for the Security Manager. See JEP 411 for discussion and alternatives.Caution:
- Applications should prompt the user to enter passwords rather than expecting the user to provide them at the command line.
- Use secure authentication mechanisms in production systems. In particular, use both SSL client certificates to authenticate the client host, and password authentication for user management. See Using SSL and Using LDAP Authentication in the Java Platform, Standard Edition Monitoring and Management Guide.
Simple Security
The simplest type of security you can use with the JMX technology is based upon encryption, user name and password authentication, and file access control.
Analyzing the RMI Connectors with Simple Security Example Classes
-
Copy the source code contained in the Simple Security section and create the following
work_dir/jmx_examples/Security/simplesubdirectories and corresponding files:/server/Server.java/config/access.properties/config/keystore/config/password.properties/config/truststore/mbeans/SimpleStandardMBean.java/mbeans/SimpleStandard.java/client/Client.java/client/ClientListener.java
-
Open the
*.javaand*.propertiesfiles, in your IDE or text editor.
The following sections analyze these files and explain how they perform the security operations described above.
Server.java in the Simple Security Example
The Server.java class is shown in the following code example.
CODE EXAMPLE 13-1 RMI Connector Example (Simple Security) Class Server.java
public class Server {
public static void main(String[] args) {
try {
MBeanServer mbs = MBeanServerFactory.createMBeanServer();
HashMap env = new HashMap();
SslRMIClientSocketFactory csf =
new SslRMIClientSocketFactory();
SslRMIServerSocketFactory ssf =
new SslRMIServerSocketFactory();
env.put(RMIConnectorServer.
RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE,csf);
env.put(RMIConnectorServer.
RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE,ssf);
env.put("jmx.remote.x.password.file",
"config" + File.separator + "password.properties");
env.put("jmx.remote.x.access.file",
"config" + File.separator + "access.properties");
JMXServiceURL url = new JMXServiceURL(
"service:jmx:rmi:///jndi/rmi://localhost:9999/server");
JMXConnectorServer cs =
JMXConnectorServerFactory.newJMXConnectorServer(url,
env,
mbs);
cs.start();
} catch (Exception e) {
e.printStackTrace();
}
}
}The Server class shown in this code example creates an MBean server
mbs, and populates an environment map env with a secure
RMI client socket factory csf, a secure RMI server socket factory
ssf, and the properties files password.properties and
access.properties.
The properties file password.properties contains a username and password and is accessed using the JMX Remote API interface JMXAuthenticator. Using the property jmx.remote.x.password.file is the same as creating a password-based JMXAuthenticator and passing it into the environment map through the jmx.remote.authenticator property.
The properties file access.properties contains a username and a level of access permission that can be either readwrite or readonly. This represents the level of access this user can have to MBean server operations. This file-based access control is implemented using the JMX technology interface MBeanServerForwarder, which wraps the real MBean server inside an access controller MBean server. The access controller MBean server only forwards requests to the real MBean server after performing the appropriate checks.
Server creates a JMX service URL, named url, for an RMI connector that will operate over the default JRMP transport, and register an RMI connector stub in an RMI registry on port 9999 of the local host.
The MBean server mbs, the environment map env and the service URL url are all passed to JMXConnectorServer to create a new, secure JMX connector server named cs.
SimpleStandardMBean.java in the Simple Security Example
The SimpleStandardMBean class defines the same straightforward MBean interface used in SimpleStandardMBean.java in the MBean Example.
SimpleStandard.java in the Simple Security Example
The SimpleStandard class defines the same straightforward MBean used in SimpleStandard.java in the MBean Example.
ClientListener.java in the Simple Security Example
The ClientListener class defines the same straightforward notification listener used in ClientListener.java in the MBean Example.
Client.java in the Simple Security Example
The Client.java class is shown in the following code example.
CODE EXAMPLE 13-2 RMI Connector Example (Simple Security) Class Client.java
public class Client {
public static void main(String[] args) {
try {
HashMap env = new HashMap();
String[] credentials = new String[] { "username" , "password" };
env.put("jmx.remote.credentials", credentials);
JMXServiceURL url = new JMXServiceURL(
"service:jmx:rmi:///jndi/rmi://localhost:9999/server");
JMXConnector jmxc = JMXConnectorFactory.connect(url, env);
MBeanServerConnection mbsc = jmxc.getMBeanServerConnection();
String domains[] = mbsc.getDomains();
for (int i = 0; i < domains.length; i++) {
System.out.println("Domain[" + i + "] = " + domains[i]);
}
ObjectName mbeanName =
new ObjectName("MBeans:type=SimpleStandard");
mbsc.createMBean("SimpleStandard", mbeanName, null, null);
// Perform MBean operations
[...]
mbsc.removeNotificationListener(mbeanName, listener);
mbsc.unregisterMBean(mbeanName);
jmxc.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
The Client class shown in this code example populates an environment
map env with a set of credentials, namely the username and
password expected by the Server. These credentials are
then given to an instance of JMXConnector named jmxc when
the service URL of the connector stub and the environment map are passed to
JMXConnectorFactory.connect(). Through jmxc, the
Client connects to the MBean server started by Server,
and performs MBean operations.
When the connection is established, the credentials supplied in the environment map env are sent to the server. The server then calls the authenticate() method of the JMXAuthenticator interface, passing the client credentials as parameters. The authenticate() method authenticates the client and returns a subject that contains the set of principals upon which the access control checks will be performed.
Running the RMI Connector Example With Simple Security
To run the RMI connector example with simple security, perform the following steps:
-
Run the RMI connector example:
$ javac mbeans/SimpleStandard.java \ mbeans/SimpleStandardMBean.java \ server/Server.java \ client/Client.java \ client/ClientListener.java - Start an RMI registry on port 9999 of the local host.
$ export CLASSPATH=server ; rmiregistry 9999 & - Start the
Server.$ java -classpath server:mbeans \ -Djavax.net.ssl.keyStore=config/keystore \ -Djavax.net.ssl.keyStorePassword=password \ Server &You will see confirmation of the creation of the MBean server and of the RMI connector.
- Start the
Client.$java -classpath client:server:mbeans \ -Djavax.net.ssl.trustStore=config/truststore \ -Djavax.net.ssl.trustStorePassword=trustword \ ClientYou will see confirmation of the creation of the connector client, the various MBean operations followed by the closure of the connection.
As you can see, all the above appears to proceed in exactly the same manner as the basic RMI connector example described in JMX Connectors. However, if you were to open password.properties and change the password, you would see a java.lang.SecurityException when you launched the Client, and the connection would fail.
Fine-Grained Security
WARNING:
The Security Manager and APIs related to it have been deprecated and are subject to removal in a future release. There is no replacement for the Security Manager. See JEP 411 for discussion and alternatives.The two examples in this section are very similar to those shown in Simple Security, with the difference that policy-based access control replaces the simple, file-based access control.
Analyzing the Secure RMI Connectors With Fine-Grained Security Example Classes
-
Copy the source code contained in the Fine-Grained Security section and create the following
work_dir/jmx_examples/Security/fine_grainedsubdirectories and corresponding files:/server/Server.java/config/java.policy/config/keystore/config/password.properties/config/truststore/mbeans/SimpleStandard.java/mbeans/SimpleStandardMBean.java/client/ClientListener.java/client/Client.java
- Open all of the
*.javaand*.propertiesfiles in your IDE or text editor.
The following sections contain the analysis of these files.
Server.java in the Fine-Grained Security Example
The Server.java class in this example is very similar to the one used in unresolvable-reference.html. The only difference is that there is no access.properties file to map into the environment map in the fine-grained example. Otherwise, the two classes are identical.
java.policy in the Fine-Grained Security Example
The java.policy file grants the following permissions:
- All permissions to the
servercode base, so that the connector server can create the connectors, and then perform the operations requested by remote user calls MBeanTrustPermissionto thembeanscode base, allowing trusted MBeans to register in the MBean server- Permission to perform the various MBean and MBean server operations for the user represented by a
JMXPrincipalnamedusername.
SimpleStandardMBean.java in the Fine-Grained Security Example
The SimpleStandardMBean class defines the same straightforward MBean interface used in previous examples.
SimpleStandard.java in the Fine-Grained Security Example
The SimpleStandard class defines the same straightforward MBean used in previous examples.
ClientListener.java in the Fine-Grained Security Example
The ClientListener class defines the same straightforward notification listener used in previous examples.
Client.java in the Fine-Grained Security Example
The Client.java class is exactly the same as the one used in unresolvable-reference.html .
Running the RMI Connector Example With Fine-Grained Security
To run the RMI connector example with fine-grained security, perform the following steps:
- Run the RMI connector example:
$ javac mbeans/SimpleStandard.java \ mbeans/SimpleStandardMBean.java \ server/Server.java \ client/Client.java \ client/ClientListener.java - Start an RMI registry on port 9999 of the local host.
$ export CLASSPATH=server ; rmiregistry 9999 & - Start the
Server.$java -classpath server:mbeans \ -Djavax.net.ssl.keyStore=config/keystore \ -Djavax.net.ssl.keyStorePassword=password \ -Djava.security.manager \ -Djava.security.policy=config/java.policy \ Server &You will see confirmation of the initialization of the environment map, the creation of the MBean server and of the RMI connector.
- Start the
Client.$ java -classpath client:server:mbeans \ -Djavax.net.ssl.trustStore=config/truststore \ -Djavax.net.ssl.trustStorePassword=trustword \ ClientYou will see confirmation of the creation of the connector client, the connection to the RMI server and the various MBean operations followed by the closure of the connection.