glassfish
  1. glassfish
  2. GLASSFISH-14785

Direct JMX access to instances should allow only monitoring access, not control access

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.1
    • Fix Version/s: 3.1.2.2, 4.0_dev
    • Component/s: amx
    • Labels:
      None
    • Environment:

      Operating System: All
      Platform: All

      Description

      One of our security requirements is to prevent users from contacting instances
      directly and making configuration changes. Direct access connections to
      instances using JMX are OK but the user should not be able to make config changes.

        Issue Links

          Activity

          Tim Quinn created issue -
          kenaiadmin made changes -
          Field Original Value New Value
          issue.field.bugzillaimportkey 14785 46389
          Hide
          prasads added a comment -

          This has to be achieved by making significant changes to the DynamicInterceptor using the user credentials passed during authentication phase. Since the DynamicInterceptor itself is new and is being stabilized, I feel we should defer this for 3.2

          Show
          prasads added a comment - This has to be achieved by making significant changes to the DynamicInterceptor using the user credentials passed during authentication phase. Since the DynamicInterceptor itself is new and is being stabilized, I feel we should defer this for 3.2
          prasads made changes -
          Fix Version/s 3.2 [ 10969 ]
          Fix Version/s not determined [ 11149 ]
          Tags 3_1-exclude
          Hide
          prasads added a comment -

          Assigning issues to Naman

          Show
          prasads added a comment - Assigning issues to Naman
          prasads made changes -
          Assignee prasads [ prasads ] naman_mehta [ naman_mehta ]
          Jill Sato made changes -
          Fix Version/s 4.0 [ 10970 ]
          Fix Version/s 3.2 [ 10969 ]
          Hide
          Tim Quinn added a comment -

          Fix checked in.

          Project: glassfish
          Repository: svn
          Revision: 53698
          Author: tjquinn
          Date: 2012-04-30 20:26:19 UTC
          Link:

          Log Message:
          ------------
          Fix for 14785

          These changes allows JMX clients to connect directly to instances and perform monitoring (read-only) work. Attempts to change attribute values or to invoke operations with affect other than INFO are rejected.

          Revisions:
          ----------
          53698

          Modified Paths:
          ---------------
          trunk/main/nucleus/admin/util/src/main/java/com/sun/enterprise/admin/util/GenericAdminAuthenticator.java
          trunk/main/nucleus/common/mbeanserver/src/main/java/org/glassfish/admin/mbeanserver/JMXStartupService.java
          trunk/main/nucleus/admin/rest/rest-service/src/main/java/org/glassfish/admin/rest/adapter/RestAdapter.java
          trunk/main/nucleus/common/internal-api/src/main/java/org/glassfish/internal/api/AdminAccessController.java
          trunk/main/nucleus/common/mbeanserver/src/main/resources/com/sun/logging/enterprise/system/jmx/LogStrings.properties

          Added Paths:
          ------------
          trunk/main/nucleus/common/mbeanserver/src/main/java/org/glassfish/admin/mbeanserver/AdminAuthorizedMBeanServer.java
          trunk/main/nucleus/common/internal-api/src/main/java/org/glassfish/internal/api/JMXAdminPrincipal.java

          Show
          Tim Quinn added a comment - Fix checked in. Project: glassfish Repository: svn Revision: 53698 Author: tjquinn Date: 2012-04-30 20:26:19 UTC Link: Log Message: ------------ Fix for 14785 These changes allows JMX clients to connect directly to instances and perform monitoring (read-only) work. Attempts to change attribute values or to invoke operations with affect other than INFO are rejected. Revisions: ---------- 53698 Modified Paths: --------------- trunk/main/nucleus/admin/util/src/main/java/com/sun/enterprise/admin/util/GenericAdminAuthenticator.java trunk/main/nucleus/common/mbeanserver/src/main/java/org/glassfish/admin/mbeanserver/JMXStartupService.java trunk/main/nucleus/admin/rest/rest-service/src/main/java/org/glassfish/admin/rest/adapter/RestAdapter.java trunk/main/nucleus/common/internal-api/src/main/java/org/glassfish/internal/api/AdminAccessController.java trunk/main/nucleus/common/mbeanserver/src/main/resources/com/sun/logging/enterprise/system/jmx/LogStrings.properties Added Paths: ------------ trunk/main/nucleus/common/mbeanserver/src/main/java/org/glassfish/admin/mbeanserver/AdminAuthorizedMBeanServer.java trunk/main/nucleus/common/internal-api/src/main/java/org/glassfish/internal/api/JMXAdminPrincipal.java
          Tim Quinn made changes -
          Status Open [ 1 ] Closed [ 6 ]
          Assignee naman_mehta [ naman_mehta ] Tim Quinn [ tjquinn ]
          Fix Version/s 4.0_b35 [ 15485 ]
          Fix Version/s 4.0 [ 10970 ]
          Resolution Fixed [ 1 ]
          Tim Quinn made changes -
          Link This issue is related to GLASSFISH-18450 [ GLASSFISH-18450 ]
          Hide
          Tim Quinn added a comment -

          Further fix checked in.

          The changes allow read-only access to GlassFish MBeans in instances but all access to other MBeans (such as the JVM ones).

          Project: glassfish
          Repository: svn
          Revision: 54532
          Author: tjquinn
          Date: 2012-06-10 16:00:42 UTC
          Link:

          Log Message:
          ------------
          Refinements to allowing JMX access to instances.

          The earlier changes to allow JMX access to instances prohibited any access that had non-INFO impact, regardless of which MBean was used. That unnecessarily limited access to, for example, JVM MBeans. The goal is to prevent changes being made to GlassFish config directly to instances; other MBean access should be unrestricted.

          These changes impose the restriction only on GlassFish MBeans.

          Tests: QL, admin devtests

          Revisions:
          ----------
          54532

          Modified Paths:
          ---------------
          trunk/main/nucleus/common/mbeanserver/src/main/java/org/glassfish/admin/mbeanserver/AdminAuthorizedMBeanServer.java
          trunk/main/nucleus/common/mbeanserver/src/main/java/org/glassfish/admin/mbeanserver/JMXStartupService.java

          Show
          Tim Quinn added a comment - Further fix checked in. The changes allow read-only access to GlassFish MBeans in instances but all access to other MBeans (such as the JVM ones). Project: glassfish Repository: svn Revision: 54532 Author: tjquinn Date: 2012-06-10 16:00:42 UTC Link: Log Message: ------------ Refinements to allowing JMX access to instances. The earlier changes to allow JMX access to instances prohibited any access that had non-INFO impact, regardless of which MBean was used. That unnecessarily limited access to, for example, JVM MBeans. The goal is to prevent changes being made to GlassFish config directly to instances; other MBean access should be unrestricted. These changes impose the restriction only on GlassFish MBeans. Tests: QL, admin devtests Revisions: ---------- 54532 Modified Paths: --------------- trunk/main/nucleus/common/mbeanserver/src/main/java/org/glassfish/admin/mbeanserver/AdminAuthorizedMBeanServer.java trunk/main/nucleus/common/mbeanserver/src/main/java/org/glassfish/admin/mbeanserver/JMXStartupService.java
          Hide
          Tim Quinn added a comment -

          Re-opening to update fixed-in list.

          Show
          Tim Quinn added a comment - Re-opening to update fixed-in list.
          Tim Quinn made changes -
          Resolution Fixed [ 1 ]
          Status Closed [ 6 ] Reopened [ 4 ]
          Hide
          Tim Quinn added a comment -

          Adding 3.1.2.2 to fixed-in list.

          Show
          Tim Quinn added a comment - Adding 3.1.2.2 to fixed-in list.
          Tim Quinn made changes -
          Fix Version/s 3.1.2.2 [ 15916 ]
          Tim Quinn made changes -
          Status Reopened [ 4 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Joe Di Pol made changes -
          Fix Version/s 4.0_dev [ 17784 ]

            People

            • Assignee:
              Tim Quinn
              Reporter:
              Tim Quinn
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: