Bypassing JConsole requirement for username/password - when using a Jaas custom login module with JMX to handle authorization and authentication

Question

I'm using JConsole to access an MBean that is running.

The MBean uses a custom Jaas login module and is run with the following command:

java -classpath UserLGUGroupHandlingApplication.jar;MBeanSecure.jar 
-com.sun.management.jmxremote.login.config=management.properties 
-Djava.security.auth.login.config=./sample_jaas.config 
com.test.running.RunningImplementation

With the management.properties file looking like this:

com.sun.management.jmxremote.access.file=jmxremote.access
com.sun.management.jmxremote=true
com.sun.management.jmxremote.authenticate=true
com.sun.management.jmxremote.port=1234
com.sun.management.jmxremote.login.config=Sample
com.sun.management.jmxremote.ssl=false
com.sun.management.jmxremote.ssl.need.client.auth=false

and the sample_jaas.config:

Sample {
   test.module.AETTLoginModule required debug=true;
};

and then a user will access this running processes by logging in through JConsole from the command line.

jconsole -debug //or just jconsole

The user selects 'connect remotely', with RemoteProcess 'localhost:1234'

The loginmodule handles the user validation and setting of principals based on the user currently logged in to Windows, which is used to query separate authorization logic to determine the access level.

What I want to happen:

User enteres jconsole into cmd
The jconsole window opens.
User enters address of process e.g. "localhost:1234"
User does not enter username or password (since this is not required as the authorization is handled by a custom jaas login module).
Module determines whether the user has readwrite, readonly or no access.
Jconsole window for process opens, or the login fails.

The Issue:

To access the jmx process in the jconsole window I must enter a dummy username and password, e.g. U:a, P:a, otherwise I get the following error:

java.lang.SecurityException: Authentication failed! Credentials required
    at com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticationFailure(JMXPluggableAuthenticator.java:193)
    at com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticate(JMXPluggableAuthenticator.java:145)
    at sun.management.jmxremote.ConnectorBootstrap$AccessFileCheckerAuthenticator.authenticate(ConnectorBootstrap.java:201)
    at javax.management.remote.rmi.RMIServerImpl.doNewClient(RMIServerImpl.java:213)
    at javax.management.remote.rmi.RMIServerImpl.newClient(RMIServerImpl.java:180)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:303)
    at sun.rmi.transport.Transport$1.run(Transport.java:159)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.rmi.transport.Transport.serviceCall(Transport.java:155)
    at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
    at java.lang.Thread.run(Thread.java:662)
    at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:255)
    at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:233)
    at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:142)
    at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source)
    at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2327)
    at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:277)
    at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:225)
    at sun.tools.jconsole.ProxyClient.tryConnect(ProxyClient.java:334)
    at sun.tools.jconsole.ProxyClient.connect(ProxyClient.java:296)
    at sun.tools.jconsole.VMPanel$2.run(VMPanel.java:280)

Question

For the Jaas login module to run I need the following set:

-Dcom.sun.management.jmxremote.authenticate=true

But, this also creates a condition in JConsole where the username and passowrd fields must be open in the field.

If this is set to false, the loginmodule is never called.

Is it possible to either extend the Jconsole functionality for a particular instance, apply a config setting, or enable a jaas login module without needing to set:

-Dcom.sun.management.jmxremote.authenticate=true

In order to prevent the necessity of entering a username and password in the following fields highlighted below:

enter image description here

I'm looking for a solution similar to the one demonstrated here. But without the need for the user to enter the username or password fields.

EDIT: Also, to clarify, this would need to be done without modifying the client side JCONSOLE, so by purely using server side changes and settings.

score 4 · Accepted Answer · edited Sep 06 '17 at 21:59

4

Go through this link. See case 3 especially, it may help you.

***** more updates after more clarification on question asked*****************
What basically you are trying to achieve is bypass (JAAS provided) security for a particular client connection which is JCONSOLE in your case....I would suggest either:- 1) Have two ports for JMX server: secure and non-secure...use non-secure port for JCONSOLE , or
2) in case you are writing your own custom JAAS module, try to code to skip the connection for particular client in login() method-I am not sure if this is feasible because how will you know context of requesting client...

edited Sep 06 '17 at 21:59

Will Sargent

4,346
1
31
53

answered May 26 '15 at 06:54

ag112

5,537
2
23
42

1

Thank you, however, my question is specifically on modifying the jconsole need for user input on the requirements. The case study focuses on the JaasLoginModule and the client side code. – Loco234 May 27 '15 at 09:56
Please con;t post link only answers as links may break. – NathanOliver May 28 '15 at 15:33
Re: the edit. I'm curious as to whether there is a more straight forward approach to this, since using a Jaas login module is quite a common requirement. It would seem strange to only limit user and password credential input using the fields in Jconsole. My immediate thought was to point to a jaas config file whilst setting com.sun.management.jmxremote.authenticate=false. The context generation is handled by a separate script that is called in the loginmodule, effectively bypassing the need for the users credentials to be checked as they will be based on the currently logged in user. – Loco234 Jun 04 '15 at 10:57

score 0 · Answer 2 · answered May 28 '15 at 10:08

0

Try this :

https://blogs.oracle.com/alanb/entry/one_password_to_rule_them assuming following is not what you wanted (based on answer by @ag112 )

-J-Djmx.remote.x.password.file=/path/to/file/jmx.password and then put your username/credential with space there.

answered May 28 '15 at 10:08

Optional

4,387
4
27
45

Thanks, but it's not the setting up of a password file. Instead, the necessity to enter username and password details in the jconsole view where authentication is handled by the jaas module. So even if the fields are full, the input is discarded because the jaas login module handles the user data instead. – Loco234 May 28 '15 at 10:34
From the link, can't u specify ur own login module? -Dcom.sun.management.jmxremote.login.config=SunConfig -Djava.security.auth.login.config=ldap.config – Optional May 28 '15 at 11:05
Yes, i'm able to specify my own login module, but can only activate it with the com.sun.management.jmxremote.authenticate=true setting. The issue is, Jconsole requires user input intop the username and password fields, even though these aren't looked at in the loginmodule. – Loco234 May 28 '15 at 12:21
1

Just to confirm. Adding the password file does not alter the necessity of entering values into the username and password fields when com.sun.management.jmxremote.authenticate=true. – Loco234 Jun 15 '15 at 15:55

score 0 · Answer 3 · answered May 29 '15 at 05:22

I have to add another answer, from the notes like I found below:

Navigate to the server instance you want to connect remotely (without userid/password) . Navigate the server instance 'server.xml'. Look for tag, you may found like below

If this is configured in the server instance, it can be monitored without any access:

Use the below connection string to access the Jconsole for the remote process.

service:jmx:rmi://10.10.10.11:8082/jndi/rmi://10.10.10.11:8081/server

Bypassing JConsole requirement for username/password - when using a Jaas custom login module with JMX to handle authorization and authentication

3 Answers3