users@glassfish.java.net

Securing JMX server with Spring AOP

From: Farrukh Najmi <farrukh_at_wellfleetsoftware.com>
Date: Tue, 06 Dec 2011 14:07:54 -0500

I had successfully secured my server for secure JMX access using spring
AOP as described here:

http://forum.springsource.org/showthread.php?73677-How-to-secure-jmxServer-%28JConsole%29&p=349226#post349226

Recently this is no longer working when I try to authenticate using
jvisualvm using following steps to connect to
the web container JVM process via JMX while authenticating with my apps
authentication provider:

1. Start jvisualvm: $JAVA_HOME/bin/jvisualvm &

2. Open the Applications browser if not already open

3. Select the File / Add JMX Connection action from menu bar or context menu

4. In Connection field enter:
service:jmx:rmi://<host>/jndi/rmi://<host>:1099/jmxRMIConnector

5. In display name field enter something like: “My Server”

6. Select “Use security credentials” checkbox

7. Enter username and password for a registered user

8. Check “Save security credentials” if you do not wish to enter it
every time you start jvisualvm.

9. Click OK button. This will create an entry for the connection under
the Local node in applications tree

10. Double click the newly added entry for the connection under the
Local node in applications tree
to connect to the server

What happens is that the server logs the following message and jvisualvm
again prompts for user credentials:

[#|2011-12-06T13:49:59.324-0500|INFO|glassfish3.1|javax.enterprise.system.tools.admin.com.sun.enterprise.container.common|_ThreadID=198;_ThreadName=Thread-1;|User
[somuserId] from host null does not have administration access|#]

Since this used to work in GF 3.0.1 I am wondering if something has
changed in glassfish 3.1 that could break this.

I use the following Spring AOP configuration:

<bean id="JMXAuthenticationAspect"
class="org.freebxml.omar.server.jmx.JMXAuthenticationAspect">
<property name="authenticationRegistry" ref="AuthenticationRegistry"/>
</bean>

<aop:config>
<aop:pointcut id="jmx-pointcut" expression="execution(public *
javax.management.MBeanServer.invoke(..))" />
<aop:aspect ref="JMXAuthenticationAspect">
<aop:around pointcut-ref="jmx-pointcut" method="invoke"/>
</aop:aspect>
</aop:config>

Is it possible that javax.management.MBeanServer.invoke(..) is no longer
called during a JXM operation which would cause the AOP based solution
to break.

-- 
Regards,
Farrukh Najmi
Web: http://www.wellfleetsoftware.com