You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Blen Desta (Jira)" <ji...@apache.org> on 2020/03/31 01:15:00 UTC

[jira] [Issue Comment Deleted] (KARAF-6654) Remote JMX connection not working with security manager

     [ https://issues.apache.org/jira/browse/KARAF-6654?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Blen Desta updated KARAF-6654:
------------------------------
    Comment: was deleted

(was: We are using the security manager on our system for a while now. We wanted to turn on JMX but are running into issues. It seems to be linked to the security manager. We are not using the security manager just to secure JMX.)

> Remote JMX connection not working with security manager
> -------------------------------------------------------
>
>                 Key: KARAF-6654
>                 URL: https://issues.apache.org/jira/browse/KARAF-6654
>             Project: Karaf
>          Issue Type: Bug
>          Components: karaf
>    Affects Versions: 4.2.8
>         Environment: Karaf version 4.2.8
>            Reporter: Blen Desta
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>              Labels: JMX, SecurityManager, jmx
>
> We're unable to connect to remote JMX with security manager enabled.
>  
> Steps to reproduce:
>  * On Karaf 4.2.8, turn on the security manager by adding 
>  {{-Djava.security.manager}} and
>  {{-Djava.security.policy==${KARAF_HOME}/etc/all.policy}}
>  to the karaf script.
>  * Using jconsole with debug logging, connect to the remote JMX using {{service:jmx:rmi:///jndi/rmi://localhost:1099/karaf-root}} and karaf/karaf as the username and password. Choose {{Insecure connection}}
> The connection will fail and you will get the following in the logs.
> Note: {{all.policy}} grants access to everything.
> {code:java}
> java.security.AccessControlException: access denied ("javax.security.auth.AuthPermission" "getSubject")
> 	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> 	at java.security.AccessController.checkPermission(AccessController.java:886)
> 	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> 	at javax.security.auth.Subject.getSubject(Subject.java:287)
> 	at org.apache.felix.eventadmin.impl.handler.EventAdminImpl.prepareEvent(EventAdminImpl.java:146)
> 	at org.apache.felix.eventadmin.impl.handler.EventAdminImpl.postEvent(EventAdminImpl.java:180)
> 	at org.apache.felix.eventadmin.impl.security.EventAdminSecurityDecorator.postEvent(EventAdminSecurityDecorator.java:79)
> 	at org.apache.karaf.management.internal.EventAdminLoggerImpl.log(EventAdminLoggerImpl.java:56)
> 	at org.apache.karaf.management.internal.EventAdminMBeanServerWrapper.log(EventAdminMBeanServerWrapper.java:143)
> 	at org.apache.karaf.management.internal.EventAdminMBeanServerWrapper.getClassLoaderRepository(EventAdminMBeanServerWrapper.java:641)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:498)
> 	at org.apache.karaf.management.internal.MBeanInvocationHandler.invoke(MBeanInvocationHandler.java:60)
> 	at com.sun.proxy.$Proxy19.getClassLoaderRepository(Unknown Source)
> 	at javax.management.remote.rmi.RMIConnectionImpl$1.run(RMIConnectionImpl.java:137)
> 	at javax.management.remote.rmi.RMIConnectionImpl$1.run(RMIConnectionImpl.java:135)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.management.remote.rmi.RMIConnectionImpl.<init>(RMIConnectionImpl.java:134)
> 	at javax.management.remote.rmi.RMIJRMPServerImpl.makeClient(RMIJRMPServerImpl.java:207)
> 	at javax.management.remote.rmi.RMIServerImpl.doNewClient(RMIServerImpl.java:250)
> 	at javax.management.remote.rmi.RMIServerImpl.newClient(RMIServerImpl.java:199)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:498)
> 	at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
> 	at sun.rmi.transport.Transport$1.run(Transport.java:200)
> 	at sun.rmi.transport.Transport$1.run(Transport.java:197)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
> 	at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
> 	at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834)
> 	at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> 	at java.lang.Thread.run(Thread.java:748)
> 	at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:303)
> 	at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:279)
> 	at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:161)
> 	at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source)
> 	at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2430)
> 	at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:308)
> 	at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
> 	at sun.tools.jconsole.ProxyClient.tryConnect(ProxyClient.java:370)
> 	at sun.tools.jconsole.ProxyClient.connect(ProxyClient.java:313)
> 	at sun.tools.jconsole.VMPanel$2.run(VMPanel.java:294)
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)