JMX身份验证 - 基于角色的MBean操作 [英] JMX Authentication - Role Based MBean Operations
问题描述
我已经通过RMI实现了 JMXAuthenticator 用于JMX身份验证,但是我不确定如何创建角色以允许readonly / readwrite访问级别。例如,在 JMXAuthenticator.authenticate 中,我有自定义身份验证逻辑,并希望这可以确定访问角色。我尝试了以下但在JConsole中执行操作时没有任何区别:
I have implemented JMXAuthenticator for JMX authentication over RMI, however I am not sure how to create roles to allow for readonly/readwrite access levels. For example, in JMXAuthenticator.authenticate I have my custom authentication logic and want this to determine the access role. I have tried the following but it makes no difference when performing operations in JConsole:
@Override
public Subject authenticate(Object credentials) {
Subject subject = new Subject();
JMXPrincipal p;
//...my logic
String accessLevel = myCustomLogic();
if (accessLevel.equals("admin")) {
p = new JMXPrincipal("adminrole");
} else {
p = new JMXPrincipal("basicrole");
}
subject.getPrincipals().add(p);
return subject;
}
然后我创建了一个访问文件, jmxaccess。属性,包含
I have then created an access file, jmxaccess.properties, containing
adminuser readwrite
basicuser readonly
和 jmx.management.properties 其中包含 com。 sun.management.jmxremote.access.file =访问文件的路径然后我用 -Dcom.sun.management.config.file = PATH TO jmx.management运行应用程序。属性。
然而,当我通过JConsole连接并作为基本用户进行身份验证(只读访问)时,我可以访问bean上的setter。我通过完整的服务连接:jmx:rmi:... url。
However when I connect through JConsole and authenticate as a basicuser (read only access) I can access setters on the bean. I am connecting via the full service:jmx:rmi:... url.
所以我的问题是
- 我是否需要对我的bean中的setter进行注释/执行任何操作,以将它们指定为仅对管理员用户可见?
- 我是否正确构建了
主题对象JMXAuthenticator返回? - 缺少任何其他配置/设置?
- Do I need to annotate/do anything to the setters in my bean to specify them as visible only to admin users?
- Am I not building the
Subjectobject correctly which theJMXAuthenticatorreturns? - Any other config/setup that is missing?
谢谢
编辑我的MBean只是一个基本的POJO,私有字段包含公共getter和setter以及另一个公共方法。
Edit My MBean is just a basic POJO with private fields that have public getters and setters plus one other public method.
推荐答案
找到答案:需要通过 InvocationHandler 接口实现自定义调用处理程序。这会在服务器调用到达bean之前拦截它们。在authenticate方法中,您需要检查主体
Found the answer: need to implement a custom invocation handler via InvocationHandler interface. This intercepts server calls before they reach the beans. Inside the authenticate method you need to check the principals
AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
Set principals = subject.getPrincipals(JMXPrincipal.class);
if(principals != null && !principals.isEmpty()) {
Principal principal = (Principal)principals.iterator().next();
//your checks
}
我扩展了JMXPrincipal(每次访问一个扩展名)在上面的Authenticator中将它分配给Subject,然后在IH中检索主体后,我可以通过 instanceof 检查类型,并允许操作继续或抛出 SecurityException 。
I extended JMXPrincipal (one extension per access level) and assigned it to the Subject in the Authenticator above, then after retrieving the principal in the IH, I can check the type via instanceof and either allow the action to continue or throw a SecurityException.
这篇关于JMX身份验证 - 基于角色的MBean操作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
