绕过JConsole对用户名/密码的要求 - 当使用带有JMX的Jaas自定义登录模块来处理授权和身份验证时
Loc*_*234 23 java jmx login jconsole jaas
我正在使用JConsole访问正在运行的MBean.
MBean使用自定义Jaas登录模块,并使用以下命令运行:
java -classpath UserLGUGroupHandlingApplication.jar;MBeanSecure.jar
-com.sun.management.jmxremote.login.config=management.properties
-Djava.security.auth.login.config=./sample_jaas.config
com.test.running.RunningImplementation
management.properties文件看起来像这样:
com.sun.management.jmxremote.access.file=jmxremote.access
com.sun.management.jmxremote=true
com.sun.management.jmxremote.authenticate=true
com.sun.management.jmxremote.port=1234
com.sun.management.jmxremote.login.config=Sample
com.sun.management.jmxremote.ssl=false
com.sun.management.jmxremote.ssl.need.client.auth=false
和sample_jaas.config:
Sample {
test.module.AETTLoginModule required debug=true;
};
然后,用户将通过命令行中的JConsole登录来访问此运行进程.
jconsole -debug //or just jconsole
用户选择"远程连接",使用RemoteProcess'localhost:1234'
loginmodule根据当前登录到Windows的用户处理用户验证和主体设置,用于查询单独的授权逻辑以确定访问级别.
我想要发生什么:
- 用户将jconsole输入cmd
- jconsole窗口打开.
- 用户输入进程地址,例如"localhost:1234"
- 用户不输入用户名或密码(因为授权由自定义jaas登录模块处理,因此不需要).
- 模块确定用户是否具有readwrite,readonly或no access.
- 进程的Jconsole窗口打开,或登录失败.
问题:
要在jconsole窗口中访问jmx进程,我必须输入一个虚拟用户名和密码,例如U:a,P:a,否则我收到以下错误:
java.lang.SecurityException: Authentication failed! Credentials required
at com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticationFailure(JMXPluggableAuthenticator.java:193)
at com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticate(JMXPluggableAuthenticator.java:145)
at sun.management.jmxremote.ConnectorBootstrap$AccessFileCheckerAuthenticator.authenticate(ConnectorBootstrap.java:201)
at javax.management.remote.rmi.RMIServerImpl.doNewClient(RMIServerImpl.java:213)
at javax.management.remote.rmi.RMIServerImpl.newClient(RMIServerImpl.java:180)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:303)
at sun.rmi.transport.Transport$1.run(Transport.java:159)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:155)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:662)
at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:255)
at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:233)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:142)
at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source)
at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2327)
at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:277)
at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:225)
at sun.tools.jconsole.ProxyClient.tryConnect(ProxyClient.java:334)
at sun.tools.jconsole.ProxyClient.connect(ProxyClient.java:296)
at sun.tools.jconsole.VMPanel$2.run(VMPanel.java:280)
题
要运行Jaas登录模块,我需要以下设置:
-Dcom.sun.management.jmxremote.authenticate=true
但是,这也会在JConsole中创建一个条件,其中必须在字段中打开用户名和passowrd字段.
如果将其设置为false,则永远不会调用loginmodule.
是否可以扩展特定实例的Jconsole功能,应用配置设置或启用jaas登录模块而无需设置:
-Dcom.sun.management.jmxremote.authenticate=true
为了防止在以下突出显示的以下字段中输入用户名和密码的必要性:
我正在寻找类似于此处演示的解决方案.但无需用户输入用户名或密码字段.
编辑:此外,澄清一下,这需要在不修改客户端JCONSOLE的情况下完成,因此纯粹使用服务器端更改和设置.
| 归档时间: |
|
| 查看次数: |
3384 次 |
| 最近记录: |