13 Security
This chapter gives examples of how to set up the JMX technology security features:
- Simple Security presents examples of connectors that implement straightforward security that is based on password authentication and file access control.
Note:
The Subject Delegation feature has been removed. If your client application needs to perform operations as, or on behalf of, multiple identities, it will need to make multiple calls toJMXConnectorFactory.connect() and to the
getMBeanServerConnection() method on the returned
JMXConnector.
WARNING:
The Security Manager and APIs related to it have been removed from the JDK, starting with JDK 24 There is no replacement for the Security Manager. See JEP 411 for discussion and alternatives.Caution:
- Applications should prompt the user to enter passwords rather than expecting the user to provide them at the command line.
- Use secure authentication mechanisms in production systems. In particular, use both SSL client certificates to authenticate the client host, and password authentication for user management. See Using SSL and Using LDAP Authentication in the Java Platform, Standard Edition Monitoring and Management Guide.
Simple Security
The simplest type of security you can use with the JMX technology is based upon encryption, user name and password authentication, and file access control.
Analyzing the RMI Connectors with Simple Security Example Classes
-
Copy the source code contained in the Simple Security section and create the following
work_dir/jmx_examples/Security/simplesubdirectories and corresponding files:/server/Server.java/config/access.properties/config/keystore/config/password.properties/config/truststore/mbeans/SimpleStandardMBean.java/mbeans/SimpleStandard.java/client/Client.java/client/ClientListener.java
-
Open the
*.javaand*.propertiesfiles, in your IDE or text editor.
The following sections analyze these files and explain how they perform the security operations described above.
Server.java in the Simple Security Example
The Server.java class is shown in the following code example.
CODE EXAMPLE 13-1 RMI Connector Example (Simple Security) Class Server.java
public class Server {
public static void main(String[] args) {
try {
MBeanServer mbs = MBeanServerFactory.createMBeanServer();
HashMap env = new HashMap();
SslRMIClientSocketFactory csf =
new SslRMIClientSocketFactory();
SslRMIServerSocketFactory ssf =
new SslRMIServerSocketFactory();
env.put(RMIConnectorServer.
RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE,csf);
env.put(RMIConnectorServer.
RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE,ssf);
env.put("jmx.remote.x.password.file",
"config" + File.separator + "password.properties");
env.put("jmx.remote.x.access.file",
"config" + File.separator + "access.properties");
JMXServiceURL url = new JMXServiceURL(
"service:jmx:rmi:///jndi/rmi://localhost:9999/server");
JMXConnectorServer cs =
JMXConnectorServerFactory.newJMXConnectorServer(url,
env,
mbs);
cs.start();
} catch (Exception e) {
e.printStackTrace();
}
}
}The Server class shown in this code example creates an MBean server
mbs, and populates an environment map env with a secure
RMI client socket factory csf, a secure RMI server socket factory
ssf, and the properties files password.properties and
access.properties.
The properties file password.properties contains a username and password and is accessed using the JMX Remote API interface JMXAuthenticator. Using the property jmx.remote.x.password.file is the same as creating a password-based JMXAuthenticator and passing it into the environment map through the jmx.remote.authenticator property.
The properties file access.properties contains a username and a level of access permission that can be either readwrite or readonly. This represents the level of access this user can have to MBean server operations. This file-based access control is implemented using the JMX technology interface MBeanServerForwarder, which wraps the real MBean server inside an access controller MBean server. The access controller MBean server only forwards requests to the real MBean server after performing the appropriate checks.
Server creates a JMX service URL, named url, for an RMI connector that will operate over the default JRMP transport, and register an RMI connector stub in an RMI registry on port 9999 of the local host.
The MBean server mbs, the environment map env and the service URL url are all passed to JMXConnectorServer to create a new, secure JMX connector server named cs.
SimpleStandardMBean.java in the Simple Security Example
The SimpleStandardMBean class defines the same straightforward MBean interface used in SimpleStandardMBean.java in the MBean Example.
SimpleStandard.java in the Simple Security Example
The SimpleStandard class defines the same straightforward MBean used in SimpleStandard.java in the MBean Example.
ClientListener.java in the Simple Security Example
The ClientListener class defines the same straightforward notification listener used in ClientListener.java in the MBean Example.
Client.java in the Simple Security Example
The Client.java class is shown in the following code example.
CODE EXAMPLE 13-2 RMI Connector Example (Simple Security) Class Client.java
public class Client {
public static void main(String[] args) {
try {
HashMap env = new HashMap();
String[] credentials = new String[] { "username" , "password" };
env.put("jmx.remote.credentials", credentials);
JMXServiceURL url = new JMXServiceURL(
"service:jmx:rmi:///jndi/rmi://localhost:9999/server");
JMXConnector jmxc = JMXConnectorFactory.connect(url, env);
MBeanServerConnection mbsc = jmxc.getMBeanServerConnection();
String domains[] = mbsc.getDomains();
for (int i = 0; i < domains.length; i++) {
System.out.println("Domain[" + i + "] = " + domains[i]);
}
ObjectName mbeanName =
new ObjectName("MBeans:type=SimpleStandard");
mbsc.createMBean("SimpleStandard", mbeanName, null, null);
// Perform MBean operations
[...]
mbsc.removeNotificationListener(mbeanName, listener);
mbsc.unregisterMBean(mbeanName);
jmxc.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
The Client class shown in this code example populates an environment
map env with a set of credentials, namely the username and
password expected by the Server. These credentials are
then given to an instance of JMXConnector named jmxc when
the service URL of the connector stub and the environment map are passed to
JMXConnectorFactory.connect(). Through jmxc, the
Client connects to the MBean server started by Server,
and performs MBean operations.
When the connection is established, the credentials supplied in the environment map env are sent to the server. The server then calls the authenticate() method of the JMXAuthenticator interface, passing the client credentials as parameters. The authenticate() method authenticates the client and returns a subject that contains the set of principals upon which the access control checks will be performed.
Running the RMI Connector Example With Simple Security
To run the RMI connector example with simple security, perform the following steps:
-
Run the RMI connector example:
$ javac mbeans/SimpleStandard.java \ mbeans/SimpleStandardMBean.java \ server/Server.java \ client/Client.java \ client/ClientListener.java - Start an RMI registry on port 9999 of the local host.
$ export CLASSPATH=server ; rmiregistry 9999 & - Start the
Server.$ java -classpath server:mbeans \ -Djavax.net.ssl.keyStore=config/keystore \ -Djavax.net.ssl.keyStorePassword=password \ Server &You will see confirmation of the creation of the MBean server and of the RMI connector.
- Start the
Client.$java -classpath client:server:mbeans \ -Djavax.net.ssl.trustStore=config/truststore \ -Djavax.net.ssl.trustStorePassword=trustword \ ClientYou will see confirmation of the creation of the connector client, the various MBean operations followed by the closure of the connection.
As you can see, all the above appears to proceed in exactly the same manner as the basic RMI connector example described in JMX Connectors. However, if you were to open password.properties and change the password, you would see a java.lang.SecurityException when you launched the Client, and the connection would fail.