shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jcalcote <>
Subject Java Platform Security and Shiro Authorization
Date Tue, 19 Aug 2014 16:49:49 GMT
I'm investigating securing a JMX server using Shiro. Actually, as usual, it's
a bit more complicated than that; we're using jolokia (essentially a JMX
protocol adaptor framework for rest/http) to provide a standardized
rest/http interface to a JMX server. We're supporting both remote access
mechanisms - jmx/rmi and rest/http. I want to use Shiro to secure both of
these interfaces.

I've found some interesting resources along the way for authentication. For
instance, this stackoverflow article
provides two mechanisms for tying Shiro into the JAAS framework
required/expected by JMX agents, implementing a JMXAuthenticator and
implementing a JAAS LoginModule. In either case, the typical way the Shiro
authentication context is attached to the JAAS authentication context is to
store the Shiro context in the private credentials of the JAAS context.

These private credentials are then available to MBean Connection Servers via
the global JAAS security context. When a connection is established with a
remote manager, the connection context contains the authenticated JAAS
security context. By using an MBeanServerForwarder, I'm able to perform
Shiro authorization checks based on the privately stored Shiro-authenticated

All that said, however, I'm wondering if anyone has considered a tighter
integration between Shiro and the JMX native authorization model (Java
Platform Security). It would be nice if there were a way to configure
platform security as a mapping between Shiro permissions and the JPS
permissions consumed natively by JMX. I'd like to be able to forego the
forwarder and just let JPS permissions be checked automatically by JMX, but
have those checks be somehow mapped to Shiro permissions under the covers.


Thanks in advance,

View this message in context:
Sent from the Shiro User mailing list archive at

View raw message