Author: gawor
Date: Thu Jul 10 09:39:53 2008
New Revision: 675641
URL: http://svn.apache.org/viewvc?rev=675641&view=rev
Log:
Secure JMX connector - based on patch from Vamsi (GERONIMO-3876)
Added:
geronimo/server/trunk/framework/configs/jmx-security/
geronimo/server/trunk/framework/configs/jmx-security/pom.xml (with props)
geronimo/server/trunk/framework/configs/jmx-security/src/
geronimo/server/trunk/framework/configs/jmx-security/src/main/
geronimo/server/trunk/framework/configs/jmx-security/src/main/plan/
geronimo/server/trunk/framework/configs/jmx-security/src/main/plan/plan.xml (with props)
geronimo/server/trunk/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/JMXSecureConnector.java
(with props)
Modified:
geronimo/server/trunk/assemblies/geronimo-jetty6-javaee5/pom.xml
geronimo/server/trunk/assemblies/geronimo-tomcat6-javaee5/pom.xml
geronimo/server/trunk/framework/configs/pom.xml
geronimo/server/trunk/framework/modules/geronimo-jmx-remoting/pom.xml
geronimo/server/trunk/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/JMXConnector.java
geronimo/server/trunk/pom.xml
Modified: geronimo/server/trunk/assemblies/geronimo-jetty6-javaee5/pom.xml
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/assemblies/geronimo-jetty6-javaee5/pom.xml?rev=675641&r1=675640&r2=675641&view=diff
==============================================================================
--- geronimo/server/trunk/assemblies/geronimo-jetty6-javaee5/pom.xml (original)
+++ geronimo/server/trunk/assemblies/geronimo-jetty6-javaee5/pom.xml Thu Jul 10 09:39:53 2008
@@ -598,6 +598,13 @@
<version>${version}</version>
<type>car</type>
</dependency>
+
+ <dependency>
+ <groupId>org.apache.geronimo.framework</groupId>
+ <artifactId>jmx-security</artifactId>
+ <version>${version}</version>
+ <type>car</type>
+ </dependency>
</dependencies>
<build>
Modified: geronimo/server/trunk/assemblies/geronimo-tomcat6-javaee5/pom.xml
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/assemblies/geronimo-tomcat6-javaee5/pom.xml?rev=675641&r1=675640&r2=675641&view=diff
==============================================================================
--- geronimo/server/trunk/assemblies/geronimo-tomcat6-javaee5/pom.xml (original)
+++ geronimo/server/trunk/assemblies/geronimo-tomcat6-javaee5/pom.xml Thu Jul 10 09:39:53
2008
@@ -570,6 +570,13 @@
<version>${version}</version>
<type>car</type>
</dependency>
+
+ <dependency>
+ <groupId>org.apache.geronimo.framework</groupId>
+ <artifactId>jmx-security</artifactId>
+ <version>${version}</version>
+ <type>car</type>
+ </dependency>
</dependencies>
<build>
Added: geronimo/server/trunk/framework/configs/jmx-security/pom.xml
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/framework/configs/jmx-security/pom.xml?rev=675641&view=auto
==============================================================================
--- geronimo/server/trunk/framework/configs/jmx-security/pom.xml (added)
+++ geronimo/server/trunk/framework/configs/jmx-security/pom.xml Thu Jul 10 09:39:53 2008
@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<!-- $Rev: 617770 $ $Date: 2008-02-02 03:30:00 -0500 (Sat, 02 Feb 2008) $ -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <groupId>org.apache.geronimo.framework</groupId>
+ <artifactId>configs</artifactId>
+ <version>2.2-SNAPSHOT</version>
+ </parent>
+
+ <artifactId>jmx-security</artifactId>
+ <name>Geronimo Framework, Configs :: JMX Security Configuration</name>
+ <packaging>car</packaging>
+
+ <description>Secure (SSL/TSL) JMX Connector.</description>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.geronimo.framework</groupId>
+ <artifactId>geronimo-gbean-deployer</artifactId>
+ <version>${version}</version>
+ <type>car</type>
+ <scope>provided</scope>
+ </dependency>
+
+ <!-- parent -->
+ <dependency>
+ <groupId>org.apache.geronimo.framework</groupId>
+ <artifactId>server-security-config</artifactId>
+ <version>${version}</version>
+ <type>car</type>
+ </dependency>
+ </dependencies>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.geronimo.buildsupport</groupId>
+ <artifactId>car-maven-plugin</artifactId>
+ <configuration>
+ <deploymentConfigs>
+ <deploymentConfig>${gbeanDeployer}</deploymentConfig>
+ </deploymentConfigs>
+ <category>Security</category>
+ <useMavenDependencies>
+ <value>true</value>
+ <includeVersion>true</includeVersion>
+ </useMavenDependencies>
+ <instance>
+ <plugin-artifact>
+ <config-xml-content load="false">
+ <gbean name="JMXSecureConnector">
+ <attribute name="protocol">rmi</attribute>
+ <attribute name="host">#{ServerHostname}</attribute>
+ <attribute name="port">#{JMXSecurePort + PortOffset}</attribute>
+ <attribute name="urlPath">/jndi/rmi://#{ServerHostname}:#{NamingPort
+ PortOffset}/JMXSecureConnector</attribute>
+ </gbean>
+ </config-xml-content>
+ <config-substitution key="JMXSecurePort">9998</config-substitution>
+ </plugin-artifact>
+ </instance>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+
+</project>
Propchange: geronimo/server/trunk/framework/configs/jmx-security/pom.xml
------------------------------------------------------------------------------
svn:eol-style = native
Added: geronimo/server/trunk/framework/configs/jmx-security/src/main/plan/plan.xml
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/framework/configs/jmx-security/src/main/plan/plan.xml?rev=675641&view=auto
==============================================================================
--- geronimo/server/trunk/framework/configs/jmx-security/src/main/plan/plan.xml (added)
+++ geronimo/server/trunk/framework/configs/jmx-security/src/main/plan/plan.xml Thu Jul 10
09:39:53 2008
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<module xmlns="http://geronimo.apache.org/xml/ns/deployment-${geronimoSchemaVersion}">
+
+ <!-- JMX Remoting -->
+ <gbean name="JMXSecureConnector" class="org.apache.geronimo.jmxremoting.JMXSecureConnector">
+ <attribute name="protocol">rmi</attribute>
+ <attribute name="host">${PlanServerHostname}</attribute>
+ <attribute name="port">${PlanJMXSecurePort}</attribute>
+ <attribute name="urlPath">/jndi/rmi://${PlanServerHostname}:${PlanNamingPort}/JMXSecureConnector</attribute>
+ <attribute name="applicationConfigName">geronimo-admin</attribute>
+ <reference name="MBeanServerReference">
+ <name>MBeanServerReference</name>
+ </reference>
+
+ <attribute name="algorithm">Default</attribute>
+ <attribute name="secureProtocol">TLS</attribute>
+ <attribute name="keyStore">geronimo-default</attribute>
+ <attribute name="keyAlias">geronimo</attribute>
+ <attribute name="trustStore">geronimo-default</attribute>
+ <attribute name="clientAuth">true</attribute>
+ <reference name="KeystoreManager">
+ <name>KeystoreManager</name>
+ </reference>
+ </gbean>
+
+</module>
Propchange: geronimo/server/trunk/framework/configs/jmx-security/src/main/plan/plan.xml
------------------------------------------------------------------------------
svn:eol-style = native
Modified: geronimo/server/trunk/framework/configs/pom.xml
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/framework/configs/pom.xml?rev=675641&r1=675640&r2=675641&view=diff
==============================================================================
--- geronimo/server/trunk/framework/configs/pom.xml (original)
+++ geronimo/server/trunk/framework/configs/pom.xml Thu Jul 10 09:39:53 2008
@@ -54,6 +54,7 @@
<module>gshell-framework</module>
<module>gshell-remote</module>
<module>gshell-geronimo</module>
+ <module>jmx-security</module>
</modules>
<build>
Modified: geronimo/server/trunk/framework/modules/geronimo-jmx-remoting/pom.xml
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/framework/modules/geronimo-jmx-remoting/pom.xml?rev=675641&r1=675640&r2=675641&view=diff
==============================================================================
--- geronimo/server/trunk/framework/modules/geronimo-jmx-remoting/pom.xml (original)
+++ geronimo/server/trunk/framework/modules/geronimo-jmx-remoting/pom.xml Thu Jul 10 09:39:53
2008
@@ -38,6 +38,11 @@
<dependencies>
<dependency>
<groupId>org.apache.geronimo.framework</groupId>
+ <artifactId>geronimo-management</artifactId>
+ <version>${version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.geronimo.framework</groupId>
<artifactId>geronimo-system</artifactId>
<version>${version}</version>
</dependency>
Modified: geronimo/server/trunk/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/JMXConnector.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/JMXConnector.java?rev=675641&r1=675640&r2=675641&view=diff
==============================================================================
--- geronimo/server/trunk/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/JMXConnector.java
(original)
+++ geronimo/server/trunk/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/JMXConnector.java
Thu Jul 10 09:39:53 2008
@@ -16,6 +16,7 @@
*/
package org.apache.geronimo.jmxremoting;
+import java.io.IOException;
import java.net.InetSocketAddress;
import java.util.HashMap;
import java.util.Map;
@@ -35,24 +36,23 @@
import org.apache.geronimo.system.jmx.MBeanServerReference;
/**
- * A Connector that supports the server sideof JSR 160 JMX Remoting.
+ * A connector that supports the server side of JSR 160 JMX Remoting.
*
* @version $Rev$ $Date$
*/
public class JMXConnector implements JMXConnectorInfo, GBeanLifecycle {
- private final MBeanServer mbeanServer;
- private final Logger log;
- private final ClassLoader classLoader;
- private String applicationConfigName;
- private Authenticator authenticator;
-
- private String protocol;
- private String host;
- private int port = -1;
- private String urlPath;
+ protected final MBeanServer mbeanServer;
+ protected final Logger log;
+ protected final ClassLoader classLoader;
+ protected String applicationConfigName;
+
+ protected String protocol;
+ protected String host;
+ protected int port = -1;
+ protected String urlPath;
- private JMXConnectorServer server;
- private JMXServiceURL jmxServiceURL;
+ protected JMXConnectorServer server;
+ protected JMXServiceURL jmxServiceURL;
// todo remove this as soon as Geronimo supports factory beans
public JMXConnector(MBeanServerReference mbeanServerReference, String objectName, ClassLoader
classLoader) {
@@ -175,6 +175,7 @@
public void doStart() throws Exception {
jmxServiceURL = new JMXServiceURL(protocol, host, port, urlPath);
+ Authenticator authenticator = null;
Map env = new HashMap();
if (applicationConfigName != null) {
authenticator = new Authenticator(applicationConfigName, classLoader);
@@ -195,13 +196,12 @@
public void doStop() throws Exception {
try {
server.stop();
- } catch (java.io.IOException e) {
+ } catch (IOException e) {
// java.io.IOException is expected.
} catch (Exception e) {
// Otherwise, something bad happened. Rethrow the exception.
throw e;
- }
- finally {
+ } finally {
server = null;
log.debug("Stopped JMXConnector " + jmxServiceURL);
}
Added: geronimo/server/trunk/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/JMXSecureConnector.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/JMXSecureConnector.java?rev=675641&view=auto
==============================================================================
--- geronimo/server/trunk/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/JMXSecureConnector.java
(added)
+++ geronimo/server/trunk/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/JMXSecureConnector.java
Thu Jul 10 09:39:53 2008
@@ -0,0 +1,206 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.jmxremoting;
+
+import java.io.IOException;
+import java.net.ServerSocket;
+import java.rmi.server.RMIClientSocketFactory;
+import java.rmi.server.RMIServerSocketFactory;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.management.MBeanServer;
+import javax.management.NotificationFilterSupport;
+import javax.management.remote.JMXConnectionNotification;
+import javax.management.remote.JMXConnectorServer;
+import javax.management.remote.JMXConnectorServerFactory;
+import javax.management.remote.JMXServiceURL;
+import javax.management.remote.rmi.RMIConnectorServer;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.rmi.ssl.SslRMIClientSocketFactory;
+
+import org.apache.geronimo.gbean.GBeanInfo;
+import org.apache.geronimo.gbean.GBeanInfoBuilder;
+import org.apache.geronimo.management.geronimo.KeystoreManager;
+import org.apache.geronimo.system.jmx.MBeanServerReference;
+
+/**
+ * A secure (SSL/TLS) connector that supports the server side of JSR 160 JMX Remoting.
+ *
+ * @version $Rev: 651684 $ $Date: 2008-04-25 15:11:52 -0400 (Fri, 25 Apr 2008) $
+ */
+public class JMXSecureConnector extends JMXConnector {
+
+ private KeystoreManager keystoreManager;
+ private String algorithm;
+ private String secureProtocol;
+ private String keyStore;
+ private String trustStore;
+ private String keyAlias;
+ private boolean clientAuth;
+
+ public JMXSecureConnector(MBeanServerReference mbeanServerReference, String objectName,
ClassLoader classLoader) {
+ this(mbeanServerReference.getMBeanServer(), objectName, classLoader);
+ }
+
+ public JMXSecureConnector(MBeanServer mbeanServer, String objectName, ClassLoader classLoader)
{
+ super(mbeanServer, objectName, classLoader);
+ }
+
+ public void setKeystoreManager(KeystoreManager keystoreManager) {
+ this.keystoreManager = keystoreManager;
+ }
+
+ public KeystoreManager getKeystoreManager() {
+ return this.keystoreManager;
+ }
+
+ public String getKeyStore() {
+ return this.keyStore;
+ }
+
+ public void setKeyStore(String keyStore) {
+ this.keyStore = keyStore;
+ }
+
+ public String getTrustStore() {
+ return this.trustStore;
+ }
+
+ public void setTrustStore(String trustStore) {
+ this.trustStore = trustStore;
+ }
+
+ public String getKeyAlias() {
+ return this.keyAlias;
+ }
+
+ public void setKeyAlias(String keyAlias) {
+ this.keyAlias = keyAlias;
+ }
+
+ public String getAlgorithm() {
+ return this.algorithm;
+ }
+
+ /**
+ * Algorithm to use.
+ * As different JVMs have different implementations available, the default algorithm
can be used by supplying the value "Default".
+ *
+ * @param algorithm the algorithm to use, or "Default" to use the default from {@link
javax.net.ssl.KeyManagerFactory#getDefaultAlgorithm()}
+ */
+ public void setAlgorithm(String algorithm) {
+ if ("default".equalsIgnoreCase(algorithm)) {
+ this.algorithm = KeyManagerFactory.getDefaultAlgorithm();
+ } else {
+ this.algorithm = algorithm;
+ }
+ }
+
+ public String getSecureProtocol() {
+ return this.secureProtocol;
+ }
+
+ public void setSecureProtocol(String secureProtocol) {
+ this.secureProtocol = secureProtocol;
+ }
+
+ public void setClientAuth(boolean clientAuth) {
+ this.clientAuth = clientAuth;
+ }
+
+ public boolean isClientAuth() {
+ return this.clientAuth;
+ }
+
+ public void doStart() throws Exception {
+ jmxServiceURL = new JMXServiceURL(protocol, host, port, urlPath);
+ Map env = new HashMap();
+ Authenticator authenticator = null;
+ if (applicationConfigName != null) {
+ authenticator = new Authenticator(applicationConfigName, classLoader);
+ env.put(JMXConnectorServer.AUTHENTICATOR, authenticator);
+ } else {
+ log.warn("Starting unauthenticating JMXConnector for " + jmxServiceURL);
+ }
+
+ SSLServerSocketFactory sssf = keystoreManager.createSSLServerFactory(null, secureProtocol,
algorithm, keyStore, keyAlias, trustStore, classLoader);
+ RMIServerSocketFactory rssf = new GeronimoSslRMIServerSocketFactory(sssf, clientAuth);
+ RMIClientSocketFactory rcsf = new SslRMIClientSocketFactory();
+ env.put(RMIConnectorServer.RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE, rssf);
+ env.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, rcsf);
+
+ server = JMXConnectorServerFactory.newJMXConnectorServer(jmxServiceURL, env, mbeanServer);
+ NotificationFilterSupport filter = new NotificationFilterSupport();
+ filter.enableType(JMXConnectionNotification.OPENED);
+ filter.enableType(JMXConnectionNotification.CLOSED);
+ filter.enableType(JMXConnectionNotification.FAILED);
+ server.addNotificationListener(authenticator, filter, null);
+ server.start();
+ log.debug("Started JMXConnector " + server.getAddress());
+ }
+
+ private static class GeronimoSslRMIServerSocketFactory implements RMIServerSocketFactory
{
+ private SSLServerSocketFactory sssf;
+ private boolean clientAuth;
+
+ public GeronimoSslRMIServerSocketFactory(SSLServerSocketFactory sssf, boolean clientAuth)
{
+ this.sssf = sssf;
+ this.clientAuth = clientAuth;
+ }
+
+ public ServerSocket createServerSocket(int port) throws IOException {
+ SSLServerSocket ss = (SSLServerSocket) sssf.createServerSocket(port);
+ ss.setNeedClientAuth(clientAuth);
+ return ss;
+ }
+ }
+
+ public static final GBeanInfo GBEAN_INFO;
+
+ static {
+ GBeanInfoBuilder infoFactory = GBeanInfoBuilder.createStatic("JMX Secure Remoting
Connector", JMXSecureConnector.class);
+ infoFactory.addReference("MBeanServerReference", MBeanServerReference.class);
+ infoFactory.addAttribute("objectName", String.class, false);
+ infoFactory.addAttribute("classLoader", ClassLoader.class, false);
+
+ infoFactory.addAttribute("protocol", String.class, true, true);
+ infoFactory.addAttribute("host", String.class, true, true);
+ infoFactory.addAttribute("port", int.class, true, true);
+ infoFactory.addAttribute("urlPath", String.class, true, true);
+ infoFactory.addAttribute("applicationConfigName", String.class, true, true);
+
+ infoFactory.addInterface(JMXConnectorInfo.class);
+
+ infoFactory.addReference("KeystoreManager", KeystoreManager.class);
+ infoFactory.addAttribute("algorithm", String.class, true, true);
+ infoFactory.addAttribute("secureProtocol", String.class, true, true);
+ infoFactory.addAttribute("keyStore", String.class, true, true);
+ infoFactory.addAttribute("keyAlias", String.class, true, true);
+ infoFactory.addAttribute("trustStore", String.class, true, true);
+ infoFactory.addAttribute("clientAuth", boolean.class, true, true);
+
+ infoFactory.setConstructor(new String[]{"MBeanServerReference", "objectName", "classLoader"});
+ GBEAN_INFO = infoFactory.getBeanInfo();
+ }
+
+ public static GBeanInfo getGBeanInfo() {
+ return GBEAN_INFO;
+ }
+}
Propchange: geronimo/server/trunk/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/JMXSecureConnector.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: geronimo/server/trunk/pom.xml
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/pom.xml?rev=675641&r1=675640&r2=675641&view=diff
==============================================================================
--- geronimo/server/trunk/pom.xml (original)
+++ geronimo/server/trunk/pom.xml Thu Jul 10 09:39:53 2008
@@ -120,6 +120,7 @@
<PlanORBSSLPort>2001</PlanORBSSLPort>
<PlanORBSunSSLPort>2001</PlanORBSunSSLPort>
<PlanJMXPort>9999</PlanJMXPort>
+ <PlanJMXSecurePort>9998</PlanJMXSecurePort>
</properties>
<dependencyManagement>
|