You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Jean-Baptiste Onofré (Jira)" <ji...@apache.org> on 2020/03/28 07:16:00 UTC

[jira] [Commented] (KARAF-6654) Remote JMX connection not working with security manager

    [ https://issues.apache.org/jira/browse/KARAF-6654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17069277#comment-17069277 ] 

Jean-Baptiste Onofré commented on KARAF-6654:
---------------------------------------------

Hi.

Can you elaborate a bit your use case ? Why do you need to security manager compared to the provided ACL ?

> Remote JMX connection not working with security manager
> -------------------------------------------------------
>
>                 Key: KARAF-6654
>                 URL: https://issues.apache.org/jira/browse/KARAF-6654
>             Project: Karaf
>          Issue Type: Bug
>          Components: karaf
>    Affects Versions: 4.2.8
>         Environment: Karaf version 4.2.8
>            Reporter: Blen Desta
>            Priority: Major
>              Labels: JMX, SecurityManager, jmx
>
> We're unable to connect to remote JMX with security manager enabled.
>  
> Steps to reproduce:
>  * On Karaf 4.2.8, turn on the security manager by adding 
>  {{-Djava.security.manager}} and
>  {{-Djava.security.policy==${KARAF_HOME}/etc/all.policy}}
>  to the karaf script.
>  * Using jconsole with debug logging, connect to the remote JMX using {{service:jmx:rmi:///jndi/rmi://localhost:1099/karaf-root}} and karaf/karaf as the username and password. Choose {{Insecure connection}}
> The connection will fail and you will get the following in the logs.
> Note: {{all.policy}} grants access to everything.
> {code:java}
> java.security.AccessControlException: access denied ("javax.security.auth.AuthPermission" "getSubject")
> 	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> 	at java.security.AccessController.checkPermission(AccessController.java:886)
> 	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> 	at javax.security.auth.Subject.getSubject(Subject.java:287)
> 	at org.apache.felix.eventadmin.impl.handler.EventAdminImpl.prepareEvent(EventAdminImpl.java:146)
> 	at org.apache.felix.eventadmin.impl.handler.EventAdminImpl.postEvent(EventAdminImpl.java:180)
> 	at org.apache.felix.eventadmin.impl.security.EventAdminSecurityDecorator.postEvent(EventAdminSecurityDecorator.java:79)
> 	at org.apache.karaf.management.internal.EventAdminLoggerImpl.log(EventAdminLoggerImpl.java:56)
> 	at org.apache.karaf.management.internal.EventAdminMBeanServerWrapper.log(EventAdminMBeanServerWrapper.java:143)
> 	at org.apache.karaf.management.internal.EventAdminMBeanServerWrapper.getClassLoaderRepository(EventAdminMBeanServerWrapper.java:641)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:498)
> 	at org.apache.karaf.management.internal.MBeanInvocationHandler.invoke(MBeanInvocationHandler.java:60)
> 	at com.sun.proxy.$Proxy19.getClassLoaderRepository(Unknown Source)
> 	at javax.management.remote.rmi.RMIConnectionImpl$1.run(RMIConnectionImpl.java:137)
> 	at javax.management.remote.rmi.RMIConnectionImpl$1.run(RMIConnectionImpl.java:135)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.management.remote.rmi.RMIConnectionImpl.<init>(RMIConnectionImpl.java:134)
> 	at javax.management.remote.rmi.RMIJRMPServerImpl.makeClient(RMIJRMPServerImpl.java:207)
> 	at javax.management.remote.rmi.RMIServerImpl.doNewClient(RMIServerImpl.java:250)
> 	at javax.management.remote.rmi.RMIServerImpl.newClient(RMIServerImpl.java:199)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:498)
> 	at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
> 	at sun.rmi.transport.Transport$1.run(Transport.java:200)
> 	at sun.rmi.transport.Transport$1.run(Transport.java:197)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
> 	at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
> 	at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834)
> 	at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> 	at java.lang.Thread.run(Thread.java:748)
> 	at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:303)
> 	at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:279)
> 	at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:161)
> 	at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source)
> 	at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2430)
> 	at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:308)
> 	at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
> 	at sun.tools.jconsole.ProxyClient.tryConnect(ProxyClient.java:370)
> 	at sun.tools.jconsole.ProxyClient.connect(ProxyClient.java:313)
> 	at sun.tools.jconsole.VMPanel$2.run(VMPanel.java:294)
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)