Hawt.io web application - user permissions

Question

I've got a question about hawt.io security. I've installed hawt.io as a web application (currently its embedded jetty but we have an option to use tomcat in an embedded / regular mode as well). Hawt.io visualizes the JMX mbeans tree of the same process, we don't connect to remote servers, everything is local. What I would like to do is to find the best way to provide an authentication and authorization mechanism to be used:

• User's authentication: should be done preferably via LDAP
• User authorization: some users can gain full access to all mbeans, others are restricted to not execute mbean operations, but only read attributes.

I thought that I can install a web filter, in jetty I can do it outside the web.xml and check requests, but since hawt.io uses POST web method to communicate to its internal jolokia, the identifier of the operation execution is inside the body of the request, so I don't really have an access to it from within the web filter since in Java Servlets I can read the request body only once. I know I can provide a 'fake request', but maybe there exists a better solution.

Maybe someone can provide relevant configuration snippets for configuration of such an installation. Thanks a lot in advance

Answer 1

For role based authorization you can query up-front if the user has access to a given mbean/operation/attribute. If you implement this interface you can probably integrate with some server-side authorization for JMX. By default hawtio uses a dummy implementation that lets everything through. This all was originally designed to work with the JMX guard stuff implemented for Apache Karaf which exposes the same mbean but actually does restrict access via ACL configuration. Anyways, the client-side javascript is set up to locate this mbean by scanning for "type=security;area=jmx", just set a higher 'rank' attribute in your mbean and the javascript will use it.