[英]JMX Authentication - Role Based MBean Operations
I have implemented JMXAuthenticator
for JMX authentication over RMI, however I am not sure how to create roles to allow for readonly/readwrite access levels. 我已经为RMI上的JMX身份验证实现了
JMXAuthenticator
,但是我不确定如何创建角色以允许只读/读写访问级别。 For example, in JMXAuthenticator.authenticate
I have my custom authentication logic and want this to determine the access role. 例如,在
JMXAuthenticator.authenticate
我具有自定义身份验证逻辑,并希望它确定访问角色。 I have tried the following but it makes no difference when performing operations in JConsole: 我已经尝试了以下方法,但是在JConsole中执行操作时没有什么区别:
@Override
public Subject authenticate(Object credentials) {
Subject subject = new Subject();
JMXPrincipal p;
//...my logic
String accessLevel = myCustomLogic();
if (accessLevel.equals("admin")) {
p = new JMXPrincipal("adminrole");
} else {
p = new JMXPrincipal("basicrole");
}
subject.getPrincipals().add(p);
return subject;
}
I have then created an access file, jmxaccess.properties
, containing 然后,我创建了一个访问文件
jmxaccess.properties
,其中包含
adminuser readwrite
basicuser readonly
and jmx.management.properties
which contains com.sun.management.jmxremote.access.file=PATH TO ACCESS FILE
and I run the application with -Dcom.sun.management.config.file=PATH TO jmx.management.properties
. 和
jmx.management.properties
包含com.sun.management.jmxremote.access.file=PATH TO ACCESS FILE
,我使用-Dcom.sun.management.config.file=PATH TO jmx.management.properties
运行该应用程序。
However when I connect through JConsole and authenticate as a basicuser (read only access) I can access setters on the bean. 但是,当我通过JConsole连接并以basicuser身份进行身份验证(只读访问)时,我可以访问bean上的setter。 I am connecting via the full
service:jmx:rmi:...
url. 我通过完整的
service:jmx:rmi:...
连接service:jmx:rmi:...
网址。
So my questions are 所以我的问题是
Subject
object correctly which the JMXAuthenticator
returns? JMXAuthenticator
返回的Subject
对象吗? Thanks 谢谢
Edit My MBean is just a basic POJO with private fields that have public getters and setters plus one other public method. Edit My MBean只是一个基本的POJO,具有私有字段,这些私有字段具有公共getter和setter以及其他公共方法。
Found the answer: need to implement a custom invocation handler via InvocationHandler
interface. 找到了答案:需要通过
InvocationHandler
接口实现自定义调用处理程序。 This intercepts server calls before they reach the beans. 这会在服务器调用到达Bean之前对其进行拦截。 Inside the authenticate method you need to check the principals
在authenticate方法内部,您需要检查主体
AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
Set principals = subject.getPrincipals(JMXPrincipal.class);
if(principals != null && !principals.isEmpty()) {
Principal principal = (Principal)principals.iterator().next();
//your checks
}
I extended JMXPrincipal (one extension per access level) and assigned it to the Subject in the Authenticator above, then after retrieving the principal in the IH, I can check the type via instanceof
and either allow the action to continue or throw a SecurityException
. 我扩展了JMXPrincipal(每个访问级别一个扩展),并将其分配给上面的Authenticator中的Subject,然后在IH中检索了主体之后,我可以通过
instanceof
检查类型,并允许操作继续或抛出SecurityException
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.