JMX身份验证-基于角色的MBean操作
[英]JMX Authentication - Role Based MBean Operations
问题描述
I have implemented JMXAuthenticator for JMX authentication over RMI, however I am not sure how to create roles to allow for readonly/readwrite access levels. 
我已经为RMI上的JMX身份验证实现了JMXAuthenticator ,但是我不确定如何创建角色以允许只读/读写访问级别。 For example, in JMXAuthenticator.authenticate I have my custom authentication logic and want this to determine the access role. 例如,在JMXAuthenticator.authenticate我具有自定义身份验证逻辑,并希望它确定访问角色。 I have tried the following but it makes no difference when performing operations in JConsole: 我已经尝试了以下方法,但是在JConsole中执行操作时没有什么区别:
@Override
public Subject authenticate(Object credentials) {
Subject subject = new Subject();
JMXPrincipal p;
//...my logic
String accessLevel = myCustomLogic();
if (accessLevel.equals("admin")) {
p = new JMXPrincipal("adminrole");
} else {
p = new JMXPrincipal("basicrole");
}
subject.getPrincipals().add(p);
return subject;
}
I have then created an access file, jmxaccess.properties , containing 然后,我创建了一个访问文件jmxaccess.properties ,其中包含
adminuser readwrite
basicuser readonly
and jmx.management.properties which contains com.sun.management.jmxremote.access.file=PATH TO ACCESS FILE and I run the application with -Dcom.sun.management.config.file=PATH TO jmx.management.properties . 和jmx.management.properties包含com.sun.management.jmxremote.access.file=PATH TO ACCESS FILE ,我使用-Dcom.sun.management.config.file=PATH TO jmx.management.properties运行该应用程序。
However when I connect through JConsole and authenticate as a basicuser (read only access) I can access setters on the bean. 但是,当我通过JConsole连接并以basicuser身份进行身份验证(只读访问)时,我可以访问bean上的setter。 I am connecting via the full service:jmx:rmi:... url. 我通过完整的service:jmx:rmi:...连接service:jmx:rmi:...网址。
So my questions are 所以我的问题是
- Do I need to annotate/do anything to the setters in my bean to specify them as visible only to admin users? 我是否需要对bean中的设置器进行注释/做任何事情,以将其指定为仅对管理员用户可见?
- Am I not building the
Subjectobject correctly which theJMXAuthenticatorreturns?我没有正确构建JMXAuthenticator返回的Subject对象吗? - Any other config/setup that is missing? 其他缺少的配置/设置吗?
Thanks 谢谢
Edit My MBean is just a basic POJO with private fields that have public getters and setters plus one other public method. Edit My MBean只是一个基本的POJO,具有私有字段,这些私有字段具有公共getter和setter以及其他公共方法。
1 个解决方案
解决方案1
1 已采纳 2014-12-03 17:55:16
Found the answer: need to implement a custom invocation handler via InvocationHandler interface. 找到了答案:需要通过InvocationHandler接口实现自定义调用处理程序。 This intercepts server calls before they reach the beans. 这会在服务器调用到达Bean之前对其进行拦截。 Inside the authenticate method you need to check the principals 在authenticate方法内部,您需要检查主体
AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
Set principals = subject.getPrincipals(JMXPrincipal.class);
if(principals != null && !principals.isEmpty()) {
Principal principal = (Principal)principals.iterator().next();
//your checks
}
I extended JMXPrincipal (one extension per access level) and assigned it to the Subject in the Authenticator above, then after retrieving the principal in the IH, I can check the type via instanceof and either allow the action to continue or throw a SecurityException . 我扩展了JMXPrincipal(每个访问级别一个扩展),并将其分配给上面的Authenticator中的Subject,然后在IH中检索了主体之后,我可以通过instanceof检查类型,并允许操作继续或抛出SecurityException 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.