You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Martin Ritchie (JIRA)" <qp...@incubator.apache.org> on 2008/12/03 15:33:46 UTC
[jira] Created: (QPID-1511) JMX Interface does not require
authentication
JMX Interface does not require authentication
---------------------------------------------
Key: QPID-1511
URL: https://issues.apache.org/jira/browse/QPID-1511
Project: Qpid
Issue Type: Improvement
Components: Java Broker, Java Management : JMX Console
Affects Versions: M3, M2.1, M2, M1, M4
Reporter: Martin Ritchie
Summary:
JMX Interface uses the default RMI connector which has no authentication mechanism. We should not be shipping a JMX interface that doesn't have authentication. The interface has been disabled by default for M4 but this should be modified based on the outcome of the discussion on qpid-dev to authenticate all connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[java] QPID-1511 - JMX authentication
Posted by Robbie Gemmell <ge...@dcs.gla.ac.uk>.
Just a quick prod for Martin so he doesn’t miss out on the fun due to email filters :)
..this one might take a touch longer to look at than some of the others still on your list hehe :)
Robbie
-----Original Message-----
From: Robert Gemmell (JIRA) [mailto:qpid-dev@incubator.apache.org]
Sent: 30 January 2009 00:34
To: qpid-dev@incubator.apache.org
Subject: [jira] Updated: (QPID-1511) JMX Interface does not require authentication[MESSAGE NOT SCANNED]
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Gemmell updated QPID-1511:
---------------------------------
Attachment: QPID-1511_29jan2009.patch
create_example_ssl_certstores.sh
I attach QPID-1511_29jan2009.patch to address this JIRA, and a script to produce an example keystore and truststore for users who dont have their own SSL certificate handy. I wasnt sure where to put that in the repository so its not in the patch.
The JMXMP connector capabilities are left intact for now, but grouped for easy future removal (I think its a good idea to keep it all in for at least 1 revision before removing).
2 new files are added by the patch:
qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/rmi/RMIPasswordAuthenticator.java
qpid/java/broker/src/test/java/org/apache/qpid/server/security/auth/rmi/RMIPasswordAuthenticatorTest.java
=======
Notes:
=======
Adds authentication and SSL encryption to the JMX RMIConnectorServer, and updates the console and JMXConnectionFactory accordingly.
Makes the RMI ConnectorServer use the custom MBeanServerForwarder invoker like the JMXMP connector has, thus enforcing the authorisation system.
SSL is on by default in the config file but can be turned off in the config if desired, though the brokers config request defaults it to true so that need not be exposed if it isnt desired. The config.xml file is configured to use the test ssl certificate store in the java/test_resources/ssl directory created for the cpp.ssl test profile. The config file can be overidden by specifying the standard javax.net.ssl.* system properties normally available for this task. If the keystore or password are not set by one of these means, a configuration exception will be thrown and abort the broker startup.
As a result of the above, to connect using the console/cli you will need to supply the relevant ssl trust store location and password if the certificates being used cant be verified by the default java trust stores. This can be done using the system properties javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword, either at the command line when launching qpidmc(.exe), or by altering the qpidmc.ini file using the examples now provided within it.
The broker will use the defined management port (default 8999) for the RMI registry as before, but now uses the <OFFSET>'th next port (+100 just now, thus 9099 normally) to export the actual JMX RMIConnectorServer, whereas previously this port was chosen at random by the JMX Factory methods, making it rather firewall unfriendly.
A custom RMIServerSocketFactory is included to address the security issues surrounding RMI registries (namely that anyone on that machine is free to modify the registry and thus can intercept the JMX connections by replacing the JMX Connector Server stub in the registry with their own), by crippling the hostname detection and making it impossible to bind objects to the registry using RMI locally or remotely, instead requiring you to hold the object reference to it.
The authenticator has a local MD5 hashing function to convert the password for comparison, but ideally this will be removed through modification of the Base64MD5 PD to do its own hashing, and the authenticator will then make use of the PD's verifyPassword method instead.
Finally, the patch makes the JMXManagedObjectRegistry use the specific principal database listed in the configuration as the jmx management PD, as happens to AMQUserManagementMBean. The PD selection method used previously in JMXManagedObjectRegistry made it possible for the 2 areas to (unwittingly or otherwise) use different databases, which the AMQUMMBean implementation does not appear to be able to support properly if thats what was originally intended (see http://mail-archives.apache.org/mod_mbox/qpid-dev/200812.mbox/%3C00e101c953ff$1f33bca0$5d9b35e0$@gla.ac.uk%3E for way more info than you could ever want :P)
> JMX Interface does not require authentication
> ---------------------------------------------
>
> Key: QPID-1511
> URL: https://issues.apache.org/jira/browse/QPID-1511
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker, Java Management : JMX Console
> Reporter: Martin Ritchie
> Fix For: Eclipse MC M5
>
> Attachments: create_example_ssl_certstores.sh, QPID-1511_29jan2009.patch
>
>
> Summary:
> JMX Interface uses the default RMI connector which has no authentication mechanism. We should not be shipping a JMX interface that doesn't have authentication. The interface has been disabled by default for M4 but this should be modified based on the outcome of the discussion on qpid-dev to authenticate all connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Issue Comment Edited: (QPID-1511) JMX Interface does not
require authentication
Posted by "Robert Gemmell (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12657441#action_12657441 ]
gemmellr edited comment on QPID-1511 at 12/17/08 8:47 AM:
----------------------------------------------------------------
The above noted patch is now out of date due to other changes to the JMXServerRegistry class of the MC for auto-negotiation (QPID-1506). Same changes, different place. It is also out of date due to a seperate change introducing use of the custom invoker on the RMI connector server in the broker.
I am looking into adding SSL now, so will add a new patch then.
was (Author: gemmellr):
The above noted patch is now out of date due to other changes to the JMXServerRegistry class of the MC for auto-negotiation (QPID-1506). Same changes, different place. I am looking into adding SSL now, so will add a new patch then.
> JMX Interface does not require authentication
> ---------------------------------------------
>
> Key: QPID-1511
> URL: https://issues.apache.org/jira/browse/QPID-1511
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker, Java Management : JMX Console
> Affects Versions: M1, M2, M2.1, M3, M4
> Reporter: Martin Ritchie
> Attachments: QPID-1511_wip_8dec2008.patch
>
>
> Summary:
> JMX Interface uses the default RMI connector which has no authentication mechanism. We should not be shipping a JMX interface that doesn't have authentication. The interface has been disabled by default for M4 but this should be modified based on the outcome of the discussion on qpid-dev to authenticate all connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (QPID-1511) JMX Interface does not require
authentication
Posted by "Robert Gemmell (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Gemmell reassigned QPID-1511:
------------------------------------
Assignee: Robert Gemmell
> JMX Interface does not require authentication
> ---------------------------------------------
>
> Key: QPID-1511
> URL: https://issues.apache.org/jira/browse/QPID-1511
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker, Java Management : JMX Console
> Reporter: Martin Ritchie
> Assignee: Robert Gemmell
> Fix For: Eclipse MC M5
>
> Attachments: create_example_ssl_certstores.sh, QPID-1511_29jan2009.patch
>
>
> Summary:
> JMX Interface uses the default RMI connector which has no authentication mechanism. We should not be shipping a JMX interface that doesn't have authentication. The interface has been disabled by default for M4 but this should be modified based on the outcome of the discussion on qpid-dev to authenticate all connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Updated: (QPID-1511) JMX Interface does not require
authentication
Posted by "Marnie McCormack (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marnie McCormack updated QPID-1511:
-----------------------------------
Fix Version/s: Eclipse MC M5
Affects Version/s: (was: M4)
(was: M2.1)
(was: M3)
(was: M2)
(was: M1)
Sscoping items for early 2009 release of Java Eclipse Mgt Console
> JMX Interface does not require authentication
> ---------------------------------------------
>
> Key: QPID-1511
> URL: https://issues.apache.org/jira/browse/QPID-1511
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker, Java Management : JMX Console
> Reporter: Martin Ritchie
> Fix For: Eclipse MC M5
>
> Attachments: QPID-1511_wip_19dec2008.patch, QPID-1511_wip_8dec2008.patch
>
>
> Summary:
> JMX Interface uses the default RMI connector which has no authentication mechanism. We should not be shipping a JMX interface that doesn't have authentication. The interface has been disabled by default for M4 but this should be modified based on the outcome of the discussion on qpid-dev to authenticate all connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Commented: (QPID-1511) JMX Interface does not require
authentication
Posted by "Robert Gemmell (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688179#action_12688179 ]
Robert Gemmell commented on QPID-1511:
--------------------------------------
Added scripts to generate example ssl stores in r757268 / r757270
> JMX Interface does not require authentication
> ---------------------------------------------
>
> Key: QPID-1511
> URL: https://issues.apache.org/jira/browse/QPID-1511
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker, Java Management : JMX Console
> Reporter: Martin Ritchie
> Assignee: Martin Ritchie
> Fix For: Eclipse MC M5
>
> Attachments: create_example_ssl_certstores.sh, QPID-1511_29jan2009.patch
>
>
> Summary:
> JMX Interface uses the default RMI connector which has no authentication mechanism. We should not be shipping a JMX interface that doesn't have authentication. The interface has been disabled by default for M4 but this should be modified based on the outcome of the discussion on qpid-dev to authenticate all connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Updated: (QPID-1511) JMX Interface does not require
authentication
Posted by "Robert Gemmell (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Gemmell updated QPID-1511:
---------------------------------
Attachment: QPID-1511_wip_19dec2008.patch
I have made a new patch of the progress on this, QPID-1511_wip_19dec2008.patch. It uses SSL and to encrypt the RMI based connections and performs user authentication. The RMI based connector server is now subject to the access rights system like the JMXMP based connector server is. The JMXMP capability is retained with the patch, but is all collected within a single if statement and so easily removed, as has been discussed (i think it would be good to have 1 revision where its there before removing it).
I know Aidan is doing work in this area to combine common management functionality for the console and cli that will invalidate this version of the patch, but i thought it would be useful for clarity to put it up just now, i will roll another when thats done. This patch also incorporates/alters changes i posted in a patch to QPID-1532 which havent been commited yet.
I actually wouldnt recommend adding this stuff until after the post-M4 release of the console anyway, and once the MBean compatibility issues have been discussed. These features will allow prevention of old management consoles connecting to new brokers which implement whatever compatibility solution is determined.
> JMX Interface does not require authentication
> ---------------------------------------------
>
> Key: QPID-1511
> URL: https://issues.apache.org/jira/browse/QPID-1511
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker, Java Management : JMX Console
> Affects Versions: M1, M2, M2.1, M3, M4
> Reporter: Martin Ritchie
> Attachments: QPID-1511_wip_19dec2008.patch, QPID-1511_wip_8dec2008.patch
>
>
> Summary:
> JMX Interface uses the default RMI connector which has no authentication mechanism. We should not be shipping a JMX interface that doesn't have authentication. The interface has been disabled by default for M4 but this should be modified based on the outcome of the discussion on qpid-dev to authenticate all connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (QPID-1511) JMX Interface does not require
authentication
Posted by "Robert Gemmell (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Gemmell updated QPID-1511:
---------------------------------
Attachment: QPID-1511_29jan2009.patch
create_example_ssl_certstores.sh
I attach QPID-1511_29jan2009.patch to address this JIRA, and a script to produce an example keystore and truststore for users who dont have their own SSL certificate handy. I wasnt sure where to put that in the repository so its not in the patch.
The JMXMP connector capabilities are left intact for now, but grouped for easy future removal (I think its a good idea to keep it all in for at least 1 revision before removing).
2 new files are added by the patch:
qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/rmi/RMIPasswordAuthenticator.java
qpid/java/broker/src/test/java/org/apache/qpid/server/security/auth/rmi/RMIPasswordAuthenticatorTest.java
=======
Notes:
=======
Adds authentication and SSL encryption to the JMX RMIConnectorServer, and updates the console and JMXConnectionFactory accordingly.
Makes the RMI ConnectorServer use the custom MBeanServerForwarder invoker like the JMXMP connector has, thus enforcing the authorisation system.
SSL is on by default in the config file but can be turned off in the config if desired, though the brokers config request defaults it to true so that need not be exposed if it isnt desired. The config.xml file is configured to use the test ssl certificate store in the java/test_resources/ssl directory created for the cpp.ssl test profile. The config file can be overidden by specifying the standard javax.net.ssl.* system properties normally available for this task. If the keystore or password are not set by one of these means, a configuration exception will be thrown and abort the broker startup.
As a result of the above, to connect using the console/cli you will need to supply the relevant ssl trust store location and password if the certificates being used cant be verified by the default java trust stores. This can be done using the system properties javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword, either at the command line when launching qpidmc(.exe), or by altering the qpidmc.ini file using the examples now provided within it.
The broker will use the defined management port (default 8999) for the RMI registry as before, but now uses the <OFFSET>'th next port (+100 just now, thus 9099 normally) to export the actual JMX RMIConnectorServer, whereas previously this port was chosen at random by the JMX Factory methods, making it rather firewall unfriendly.
A custom RMIServerSocketFactory is included to address the security issues surrounding RMI registries (namely that anyone on that machine is free to modify the registry and thus can intercept the JMX connections by replacing the JMX Connector Server stub in the registry with their own), by crippling the hostname detection and making it impossible to bind objects to the registry using RMI locally or remotely, instead requiring you to hold the object reference to it.
The authenticator has a local MD5 hashing function to convert the password for comparison, but ideally this will be removed through modification of the Base64MD5 PD to do its own hashing, and the authenticator will then make use of the PD's verifyPassword method instead.
Finally, the patch makes the JMXManagedObjectRegistry use the specific principal database listed in the configuration as the jmx management PD, as happens to AMQUserManagementMBean. The PD selection method used previously in JMXManagedObjectRegistry made it possible for the 2 areas to (unwittingly or otherwise) use different databases, which the AMQUMMBean implementation does not appear to be able to support properly if thats what was originally intended (see http://mail-archives.apache.org/mod_mbox/qpid-dev/200812.mbox/%3C00e101c953ff$1f33bca0$5d9b35e0$@gla.ac.uk%3E for way more info than you could ever want :P)
> JMX Interface does not require authentication
> ---------------------------------------------
>
> Key: QPID-1511
> URL: https://issues.apache.org/jira/browse/QPID-1511
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker, Java Management : JMX Console
> Reporter: Martin Ritchie
> Fix For: Eclipse MC M5
>
> Attachments: create_example_ssl_certstores.sh, QPID-1511_29jan2009.patch
>
>
> Summary:
> JMX Interface uses the default RMI connector which has no authentication mechanism. We should not be shipping a JMX interface that doesn't have authentication. The interface has been disabled by default for M4 but this should be modified based on the outcome of the discussion on qpid-dev to authenticate all connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Assigned: (QPID-1511) JMX Interface does not require
authentication
Posted by "Robert Gemmell (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Gemmell reassigned QPID-1511:
------------------------------------
Assignee: Martin Ritchie (was: Robert Gemmell)
Hi Martin, Aidan already committed this patch for me previously but could you review it please, thanks.
> JMX Interface does not require authentication
> ---------------------------------------------
>
> Key: QPID-1511
> URL: https://issues.apache.org/jira/browse/QPID-1511
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker, Java Management : JMX Console
> Reporter: Martin Ritchie
> Assignee: Martin Ritchie
> Fix For: Eclipse MC M5
>
> Attachments: create_example_ssl_certstores.sh, QPID-1511_29jan2009.patch
>
>
> Summary:
> JMX Interface uses the default RMI connector which has no authentication mechanism. We should not be shipping a JMX interface that doesn't have authentication. The interface has been disabled by default for M4 but this should be modified based on the outcome of the discussion on qpid-dev to authenticate all connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Updated: (QPID-1511) JMX Interface does not require
authentication
Posted by "Robert Gemmell (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Gemmell updated QPID-1511:
---------------------------------
Attachment: (was: QPID-1511_wip_19dec2008.patch)
> JMX Interface does not require authentication
> ---------------------------------------------
>
> Key: QPID-1511
> URL: https://issues.apache.org/jira/browse/QPID-1511
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker, Java Management : JMX Console
> Reporter: Martin Ritchie
> Fix For: Eclipse MC M5
>
>
> Summary:
> JMX Interface uses the default RMI connector which has no authentication mechanism. We should not be shipping a JMX interface that doesn't have authentication. The interface has been disabled by default for M4 but this should be modified based on the outcome of the discussion on qpid-dev to authenticate all connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Updated: (QPID-1511) JMX Interface does not require
authentication
Posted by "Robert Gemmell (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Gemmell updated QPID-1511:
---------------------------------
Status: Ready To Review (was: In Progress)
> JMX Interface does not require authentication
> ---------------------------------------------
>
> Key: QPID-1511
> URL: https://issues.apache.org/jira/browse/QPID-1511
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker, Java Management : JMX Console
> Reporter: Martin Ritchie
> Assignee: Robert Gemmell
> Fix For: Eclipse MC M5
>
> Attachments: create_example_ssl_certstores.sh, QPID-1511_29jan2009.patch
>
>
> Summary:
> JMX Interface uses the default RMI connector which has no authentication mechanism. We should not be shipping a JMX interface that doesn't have authentication. The interface has been disabled by default for M4 but this should be modified based on the outcome of the discussion on qpid-dev to authenticate all connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Resolved: (QPID-1511) JMX Interface does not require
authentication
Posted by "Robbie Gemmell (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robbie Gemmell resolved QPID-1511.
----------------------------------
Resolution: Fixed
> JMX Interface does not require authentication
> ---------------------------------------------
>
> Key: QPID-1511
> URL: https://issues.apache.org/jira/browse/QPID-1511
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker, Java Management : JMX Console
> Reporter: Martin Ritchie
> Assignee: Martin Ritchie
> Fix For: 0.5
>
> Attachments: create_example_ssl_certstores.sh, QPID-1511_29jan2009.patch
>
>
> Summary:
> JMX Interface uses the default RMI connector which has no authentication mechanism. We should not be shipping a JMX interface that doesn't have authentication. The interface has been disabled by default for M4 but this should be modified based on the outcome of the discussion on qpid-dev to authenticate all connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] Updated: (QPID-1511) JMX Interface does not require
authentication
Posted by "Robert Gemmell (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Gemmell updated QPID-1511:
---------------------------------
Attachment: QPID-1511_wip_8dec2008.patch
I attach QPID-1511_wip_8dec2008.patch, which as being discussed on qpid-dev is a work in progress on authenticating the RMIConnector used by the broker+mc for JMX. It adds a (currently inner-class, but should probably not be, wip :P) JMXAuthenticator implementation to allow authentication of the RMIConnector created, and modifies the way it is created to ensure it is then proxied by the MBeanServerForwarder implementation used with the JMXMP connector ,and thus applies the jmx access rights system to RMI based connections. The console is updated accordingly to send the user credentials when creation its connection. It doesnt yet do SSL but that can be added.
> JMX Interface does not require authentication
> ---------------------------------------------
>
> Key: QPID-1511
> URL: https://issues.apache.org/jira/browse/QPID-1511
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker, Java Management : JMX Console
> Affects Versions: M1, M2, M2.1, M3, M4
> Reporter: Martin Ritchie
> Attachments: QPID-1511_wip_8dec2008.patch
>
>
> Summary:
> JMX Interface uses the default RMI connector which has no authentication mechanism. We should not be shipping a JMX interface that doesn't have authentication. The interface has been disabled by default for M4 but this should be modified based on the outcome of the discussion on qpid-dev to authenticate all connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (QPID-1511) JMX Interface does not require
authentication
Posted by "Robert Gemmell (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12657441#action_12657441 ]
Robert Gemmell commented on QPID-1511:
--------------------------------------
The above noted patch is now out of date due to other changes to the JMXServerRegistry class of the MC for auto-negotiation (QPID-1506). Same changes, different place. I am looking into adding SSL now, so will add a new patch then.
> JMX Interface does not require authentication
> ---------------------------------------------
>
> Key: QPID-1511
> URL: https://issues.apache.org/jira/browse/QPID-1511
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker, Java Management : JMX Console
> Affects Versions: M1, M2, M2.1, M3, M4
> Reporter: Martin Ritchie
> Attachments: QPID-1511_wip_8dec2008.patch
>
>
> Summary:
> JMX Interface uses the default RMI connector which has no authentication mechanism. We should not be shipping a JMX interface that doesn't have authentication. The interface has been disabled by default for M4 but this should be modified based on the outcome of the discussion on qpid-dev to authenticate all connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (QPID-1511) JMX Interface does not require
authentication
Posted by "Robert Gemmell (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Gemmell updated QPID-1511:
---------------------------------
Attachment: (was: QPID-1511_wip_8dec2008.patch)
> JMX Interface does not require authentication
> ---------------------------------------------
>
> Key: QPID-1511
> URL: https://issues.apache.org/jira/browse/QPID-1511
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker, Java Management : JMX Console
> Reporter: Martin Ritchie
> Fix For: Eclipse MC M5
>
>
> Summary:
> JMX Interface uses the default RMI connector which has no authentication mechanism. We should not be shipping a JMX interface that doesn't have authentication. The interface has been disabled by default for M4 but this should be modified based on the outcome of the discussion on qpid-dev to authenticate all connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org