Bypassing JConsole requirement for username/password - when using a Jaas custom login module with JMX to handle authorization and authentication

23
votes

I'm using JConsole to access an MBean that is running.

The MBean uses a custom Jaas login module and is run with the following command:

java -classpath UserLGUGroupHandlingApplication.jar;MBeanSecure.jar 
-com.sun.management.jmxremote.login.config=management.properties 
-Djava.security.auth.login.config=./sample_jaas.config 
com.test.running.RunningImplementation

With the management.properties file looking like this:

com.sun.management.jmxremote.access.file=jmxremote.access
com.sun.management.jmxremote=true
com.sun.management.jmxremote.authenticate=true
com.sun.management.jmxremote.port=1234
com.sun.management.jmxremote.login.config=Sample
com.sun.management.jmxremote.ssl=false
com.sun.management.jmxremote.ssl.need.client.auth=false

and the sample_jaas.config:

Sample {
   test.module.AETTLoginModule required debug=true;
};

and then a user will access this running processes by logging in through JConsole from the command line.

jconsole -debug //or just jconsole

The user selects 'connect remotely', with RemoteProcess 'localhost:1234'

The loginmodule handles the user validation and setting of principals based on the user currently logged in to Windows, which is used to query separate authorization logic to determine the access level.

What I want to happen:

  1. User enteres jconsole into cmd
  2. The jconsole window opens.
  3. User enters address of process e.g. "localhost:1234"
  4. User does not enter username or password (since this is not required as the authorization is handled by a custom jaas login module).
  5. Module determines whether the user has readwrite, readonly or no access.
  6. Jconsole window for process opens, or the login fails.

The Issue:

To access the jmx process in the jconsole window I must enter a dummy username and password, e.g. U:a, P:a, otherwise I get the following error:

java.lang.SecurityException: Authentication failed! Credentials required
    at com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticationFailure(JMXPluggableAuthenticator.java:193)
    at com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticate(JMXPluggableAuthenticator.java:145)
    at sun.management.jmxremote.ConnectorBootstrap$AccessFileCheckerAuthenticator.authenticate(ConnectorBootstrap.java:201)
    at javax.management.remote.rmi.RMIServerImpl.doNewClient(RMIServerImpl.java:213)
    at javax.management.remote.rmi.RMIServerImpl.newClient(RMIServerImpl.java:180)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:303)
    at sun.rmi.transport.Transport$1.run(Transport.java:159)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.rmi.transport.Transport.serviceCall(Transport.java:155)
    at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
    at java.lang.Thread.run(Thread.java:662)
    at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:255)
    at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:233)
    at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:142)
    at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source)
    at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2327)
    at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:277)
    at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:225)
    at sun.tools.jconsole.ProxyClient.tryConnect(ProxyClient.java:334)
    at sun.tools.jconsole.ProxyClient.connect(ProxyClient.java:296)
    at sun.tools.jconsole.VMPanel$2.run(VMPanel.java:280)

Question

For the Jaas login module to run I need the following set:

-Dcom.sun.management.jmxremote.authenticate=true

But, this also creates a condition in JConsole where the username and passowrd fields must be open in the field.

If this is set to false, the loginmodule is never called.

Is it possible to either extend the Jconsole functionality for a particular instance, apply a config setting, or enable a jaas login module without needing to set:

-Dcom.sun.management.jmxremote.authenticate=true

In order to prevent the necessity of entering a username and password in the following fields highlighted below:

enter image description here

I'm looking for a solution similar to the one demonstrated here. But without the need for the user to enter the username or password fields.

EDIT: Also, to clarify, this would need to be done without modifying the client side JCONSOLE, so by purely using server side changes and settings.

3
javaloginjmxjaasjconsole

3 Answers

4
votes

Go through this link. See case 3 especially, it may help you.

***** more updates after more clarification on question asked*****************
What basically you are trying to achieve is bypass (JAAS provided) security for a particular client connection which is JCONSOLE in your case....I would suggest either:- 1) Have two ports for JMX server: secure and non-secure...use non-secure port for JCONSOLE , or
2) in case you are writing your own custom JAAS module, try to code to skip the connection for particular client in login() method-I am not sure if this is feasible because how will you know context of requesting client...

0
votes

Try this :

https://blogs.oracle.com/alanb/entry/one_password_to_rule_them assuming following is not what you wanted (based on answer by @ag112 )

-J-Djmx.remote.x.password.file=/path/to/file/jmx.password and then put your username/credential with space there.

0
votes

I have to add another answer, from the notes like I found below:

Navigate to the server instance you want to connect remotely (without userid/password) . Navigate the server instance 'server.xml'. Look for tag, you may found like below

If this is configured in the server instance, it can be monitored without any access:

Use the below connection string to access the Jconsole for the remote process.

service:jmx:rmi://10.10.10.11:8082/jndi/rmi://10.10.10.11:8081/server