Uploaded image for project: 'Karaf'
  1. Karaf
  2. KARAF-6654

Remote JMX connection not working with security manager

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 4.2.8
    • Fix Version/s: None
    • Component/s: karaf
    • Environment:

      Karaf version 4.2.8

      Description

      We're unable to connect to remote JMX with security manager enabled.
       
      Steps to reproduce:

      • On Karaf 4.2.8, turn on the security manager by adding 
        -Djava.security.manager and
        -Djava.security.policy==${KARAF_HOME}/etc/all.policy
        to the karaf script.
      • Using jconsole with debug logging, connect to the remote JMX using service:jmx:rmi:///jndi/rmi://localhost:1099/karaf-root and karaf/karaf as the username and password. Choose Insecure connection

      The connection will fail and you will get the following in the logs.

      Note: all.policy grants access to everything.

      java.security.AccessControlException: access denied ("javax.security.auth.AuthPermission" "getSubject")
      	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
      	at java.security.AccessController.checkPermission(AccessController.java:886)
      	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
      	at javax.security.auth.Subject.getSubject(Subject.java:287)
      	at org.apache.felix.eventadmin.impl.handler.EventAdminImpl.prepareEvent(EventAdminImpl.java:146)
      	at org.apache.felix.eventadmin.impl.handler.EventAdminImpl.postEvent(EventAdminImpl.java:180)
      	at org.apache.felix.eventadmin.impl.security.EventAdminSecurityDecorator.postEvent(EventAdminSecurityDecorator.java:79)
      	at org.apache.karaf.management.internal.EventAdminLoggerImpl.log(EventAdminLoggerImpl.java:56)
      	at org.apache.karaf.management.internal.EventAdminMBeanServerWrapper.log(EventAdminMBeanServerWrapper.java:143)
      	at org.apache.karaf.management.internal.EventAdminMBeanServerWrapper.getClassLoaderRepository(EventAdminMBeanServerWrapper.java:641)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.apache.karaf.management.internal.MBeanInvocationHandler.invoke(MBeanInvocationHandler.java:60)
      	at com.sun.proxy.$Proxy19.getClassLoaderRepository(Unknown Source)
      	at javax.management.remote.rmi.RMIConnectionImpl$1.run(RMIConnectionImpl.java:137)
      	at javax.management.remote.rmi.RMIConnectionImpl$1.run(RMIConnectionImpl.java:135)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at javax.management.remote.rmi.RMIConnectionImpl.<init>(RMIConnectionImpl.java:134)
      	at javax.management.remote.rmi.RMIJRMPServerImpl.makeClient(RMIJRMPServerImpl.java:207)
      	at javax.management.remote.rmi.RMIServerImpl.doNewClient(RMIServerImpl.java:250)
      	at javax.management.remote.rmi.RMIServerImpl.newClient(RMIServerImpl.java:199)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
      	at sun.rmi.transport.Transport$1.run(Transport.java:200)
      	at sun.rmi.transport.Transport$1.run(Transport.java:197)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
      	at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
      	at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834)
      	at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      	at java.lang.Thread.run(Thread.java:748)
      	at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:303)
      	at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:279)
      	at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:161)
      	at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source)
      	at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2430)
      	at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:308)
      	at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
      	at sun.tools.jconsole.ProxyClient.tryConnect(ProxyClient.java:370)
      	at sun.tools.jconsole.ProxyClient.connect(ProxyClient.java:313)
      	at sun.tools.jconsole.VMPanel$2.run(VMPanel.java:294)
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              destab Blen Desta
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: