简体繁体 English

Hawt.io Web应用程序-用户权限

[英]Hawt.io web application - user permissions

原文 2015-05-22 04:11:37 3 1 java/ security/ tomcat/ jetty/ hawtio

I've got a question about hawt.io security. 我对hawt.io安全性有疑问。 I've installed hawt.io as a web application (currently its embedded jetty but we have an option to use tomcat in an embedded / regular mode as well). 我已经将hawt.io安装为Web应用程序（当前是其嵌入式码头，但我们也可以选择在嵌入式/常规模式下使用tomcat）。 Hawt.io visualizes the JMX mbeans tree of the same process, we don't connect to remote servers, everything is local. Hawt.io可视化同一过程的JMX mbeans树，我们不连接到远程服务器，所有都是本地的。 What I would like to do is to find the best way to provide an authentication and authorization mechanism to be used: 我想做的是找到提供要使用的身份验证和授权机制的最佳方法：

User's authentication: should be done preferably via LDAP 用户身份验证：最好通过LDAP进行
User authorization: some users can gain full access to all mbeans, others are restricted to not execute mbean operations, but only read attributes. 用户授权：某些用户可以获得对所有mbean的完全访问权限，其他用户则被限制为不执行mbean操作，而只能读取属性。

I thought that I can install a web filter, in jetty I can do it outside the web.xml and check requests, but since hawt.io uses POST web method to communicate to its internal jolokia, the identifier of the operation execution is inside the body of the request, so I don't really have an access to it from within the web filter since in Java Servlets I can read the request body only once. 我以为我可以安装一个Web过滤器，在码头上也可以在web.xml之外执行它并检查请求，但是由于hawt.io使用POST Web方法与内部jolokia通信，因此操作执行的标识符位于请求主体，因此我实际上没有从Web过滤器中访问它的权限，因为在Java Servlet中，我只能读取一次请求主体。 I know I can provide a 'fake request', but maybe there exists a better solution. 我知道我可以提供“虚假请求”，但也许存在更好的解决方案。

Maybe someone can provide relevant configuration snippets for configuration of such an installation. 也许有人可以提供有关配置这样的安装的配置摘要。 Thanks a lot in advance 提前谢谢

1 个解决方案

For role based authorization you can query up-front if the user has access to a given mbean/operation/attribute. 对于基于角色的授权，您可以预先查询用户是否有权访问给定的mbean / operation / attribute。 If you implement this interface you can probably integrate with some server-side authorization for JMX. 如果实现此接口，则可能可以与JMX的某些服务器端授权集成。 By default hawtio uses a dummy implementation that lets everything through. 默认情况下，hawtio使用虚拟实现，可以让所有内容通过。 This all was originally designed to work with the JMX guard stuff implemented for Apache Karaf which exposes the same mbean but actually does restrict access via ACL configuration. 最初所有设计目的都是为了与为Apache Karaf实现的JMX保护功能配合使用，该功能公开了相同的mbean，但实际上确实限制了通过ACL配置的访问。 Anyways, the client-side javascript is set up to locate this mbean by scanning for "type=security;area=jmx", just set a higher 'rank' attribute in your mbean and the javascript will use it. 无论如何，通过扫描“ type = security; area = jmx”设置了客户端javascript来定位该mbean，只需在mbean中设置一个更高的“ rank”属性，然后javascript就会使用它。