使用自定義JAAS登錄模塊啟動JMX代理,將login()設置為始終返回true
[英]Launching a JMX agent with a custom JAAS login module, setting login() to always return true
問題描述
我正在為JMX實例構建自定義JAAS模塊。 正在運行的文件如下:
MBean接口
package com.this.mbean;
public interface ImplementationMBean {
public void setName(String name);
public String getName();
public void setNumber(int number);
public int getNumber();
public boolean getKilled();
public void setKilled(boolean killed);
}
實現類
package com.test.mbean;
public class Implementation implements ImplementationMBean {
private String name ;
private int number;
private boolean killed = false;
public Implementation(String name, int number) {
this.name = name;
this.number = number;
}
@Override
public void setName(String name) {
this.name = name;
}
@Override
public String getName() {
return name;
}
@Override
public void setNumber(int number) {
this.number = number;
}
@Override
public int getNumber() {
return number;
}
@Override
public boolean getKilled() {
return killed;
}
@Override
public void setKilled(boolean killed) {
this.killed = killed;
}
}
RunningImplementation類別
package com.test.running;
import java.lang.management.ManagementFactory;
import com.test.mbean.*;
import javax.management.InstanceAlreadyExistsException;
import javax.management.MBeanRegistrationException;
import javax.management.MBeanServer;
import javax.management.MalformedObjectNameException;
import javax.management.NotCompliantMBeanException;
import javax.management.ObjectName;
public class RunningImplementation {
public static final String name = "defaultName";
public static final int number = 100;
public static void main(String[] args)
throws MalformedObjectNameException, InterruptedException,
InstanceAlreadyExistsException, MBeanRegistrationException,
NotCompliantMBeanException{
//get MBean Server
MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
//register MBean
ImplementationMBean mBean = new Implementation(name, number);
ObjectName name = new ObjectName("com.bard.mbean:type=ConcreteImplementation");
mbs.registerMBean(mBean, name);
do{
Thread.sleep(1000);
System.out.println("Name = " + mBean.getName() + ", number = " + mBean.getNumber());
}while(mBean.getKilled() == false);
}
}
這被打包到一個名為MBeanSecure.jar的JAR文件中。
我已經啟用了jmx代理:
-Dcom.sun.management.jmxremote
我將其設置為在端口1234的localhost上運行:
-Dcom.sun.management.jmxremote.port=1234
我已經將JMX代理配置為使用指定的JAAS配置條目:
-Dcom.sun.management.login.config=Sample
並指定Jaas配置文件的路徑:
-Djava.security.auth.login.config=sample_jaas.config
sample_jaas.config
Sample {
sample.module.SampleLoginModule required debug=true;
authIdentity=monitorRole;
};
監控器角色在jmxremote.access中指定
-Dcom.sun.management.jmxremote.access.file=jmxremote.access
看起來像這樣:
monitorRole readonly
controleRole readwrite
我的Loginmodule很簡單,因為無論返回什么,它都會返回true。
SampleLoginModule
package sample.module;
import java.util.*;
import java.io.IOException;
import javax.security.auth.*;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import javax.security.auth.spi.*;
import sample.principal.SamplePrincipal;
public class SampleLoginModule implements LoginModule {
// initial state
private Subject subject;
private CallbackHandler callbackHandler;
private Map sharedState;
private Map options;
// configurable option
private boolean debug = false;
// the authentication status
private boolean succeeded = false;
private boolean commitSucceeded = false;
// username and password
private String username;
private char[] password;
// testUser's SamplePrincipal
private SamplePrincipal userPrincipal;
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map sharedState, Map options) {
this.subject = subject;
this.callbackHandler = callbackHandler;
this.sharedState = sharedState;
this.options = options;
// initialize any configured options
debug = "true".equalsIgnoreCase((String)options.get("debug"));
}
public boolean login() throws LoginException {
return true;
}
public boolean commit() throws LoginException {
if (succeeded == false) {
return false;
} else {
// add a Principal (authenticated identity)
// to the Subject
// assume the user we authenticated is the SamplePrincipal
userPrincipal = new SamplePrincipal(username);
if (!subject.getPrincipals().contains(userPrincipal))
subject.getPrincipals().add(userPrincipal);
if (debug) {
System.out.println("\t\t[SampleLoginModule] " +
"added SamplePrincipal to Subject");
}
// in any case, clean out state
username = null;
for (int i = 0; i < password.length; i++)
password[i] = ' ';
password = null;
commitSucceeded = true;
return true;
}
}
public boolean abort() throws LoginException {
if (succeeded == false) {
return false;
} else if (succeeded == true && commitSucceeded == false) {
// login succeeded but overall authentication failed
succeeded = false;
username = null;
if (password != null) {
for (int i = 0; i < password.length; i++)
password[i] = ' ';
password = null;
}
userPrincipal = null;
} else {
// overall authentication succeeded and commit succeeded,
// but someone else's commit failed
logout();
}
return true;
}
public boolean logout() throws LoginException {
subject.getPrincipals().remove(userPrincipal);
succeeded = false;
succeeded = commitSucceeded;
username = null;
if (password != null) {
for (int i = 0; i < password.length; i++)
password[i] = ' ';
password = null;
}
userPrincipal = null;
return true;
}
}
與校長班:
SamplePrincipal
package sample.principal;
import java.security.Principal;
public class SamplePrincipal implements Principal, java.io.Serializable {
private String name;
public SamplePrincipal(String name) {
if (name == null)
throw new NullPointerException("illegal null input");
this.name = name;
}
public String getName() {
return name;
}
public String toString() {
return("SamplePrincipal: " + name);
}
public boolean equals(Object o) {
if (o == null)
return false;
if (this == o)
return true;
if (!(o instanceof SamplePrincipal))
return false;
SamplePrincipal that = (SamplePrincipal)o;
if (this.getName().equals(that.getName()))
return true;
return false;
}
public int hashCode() {
return name.hashCode();
}
}
當我使用以下代碼運行代碼時:
java -Dcom.sun.management.jmxremote.port=1234 -Dcom.sun.management.jmxremote.login.config=Sample -Dcom.java.security.auth.login.config=sample_jaas.config -Djava.security.policy==sampleazn.policy -Dcom.sun.management.jmxremote.access.file=jmxremote.access -jar MBeanSecure.jar
代碼運行,定期輸出
Name = defaultName, number = 100
然后,我嘗試通過JConsole訪問JMX代理。
jconsole
這將打開Jconsole窗口,顯示正在運行的進程。
但是,當我嘗試作為遠程進程連接到它時,出現“連接失敗”錯誤。 這很難調試,因為我看不到任何失敗的日志。 我是否認為通過使用
com.sun.management.jmxremote.login.config
我會覆蓋默認的登錄行為嗎? 在哪種情況下,它應該檢查我的Jaas配置,運行login模塊,該模塊始終返回true,並允許用戶使用指定的monitorRole?
我相信錯誤在於配置文件中,但是由於缺乏文檔,因此很難確認設置或調試。
2 個解決方案
解決方案1
1 已采納 2015-05-19 10:34:43
解決了:
我可以通過運行以下命令調試問題:
jconsole -debug
這表明我的配置文件存在語法錯誤,並且需要:
Sample {
sample.module.SampleLoginModule required debug=true
authIdentity=monitorRole;
};
代替
Sample {
sample.module.SampleLoginModule required debug=true;
authIdentity=monitorRole;
};
注意單個分號
解決方案2
0 2015-08-07 11:49:40
我想修復此代碼中的錯誤。 僅更改登錄方法:
System.out.println("Login Module - login called");
if (callbackHandler == null) {
throw new LoginException("Oops, callbackHandler is null");
}
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("name:");
callbacks[1] = new PasswordCallback("password:", false);
try {
callbackHandler.handle(callbacks);
} catch (IOException e) {
throw new LoginException("Oops, IOException calling handle on callbackHandler");
} catch (UnsupportedCallbackException e) {
throw new LoginException("Oops, UnsupportedCallbackException calling handle on callbackHandler");
}
NameCallback nameCallback = (NameCallback) callbacks[0];
PasswordCallback passwordCallback = (PasswordCallback) callbacks[1];
String name = nameCallback.getName();
String password = new String(passwordCallback.getPassword());
if ("sohanb".equals(name) && "welcome".equals(password)) {
System.out.println("Success! You get to log in!");
user = new JMXPrincipal(name);
succeeded = true;
return succeeded;
} else {
System.out.println("Failure! You don't get to log in");
succeeded = false;
throw new FailedLoginException("Sorry! No login for you.");
}
添加: user = new JMXPrincipal(name);
還要注釋commit()函數中的所有代碼行,只需添加:
subject.getPrincipals().add(user);
繞過JConsole對用戶名/密碼的要求 - 當使用帶有JMX的Jaas自定義登錄模塊來處理授權和身份驗證時
[英]Bypassing JConsole requirement for username/password - when using a Jaas custom login module with JMX to handle authorization and authentication
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.