[OPENDJ-1363] JMXMBean does not handle local connections correctly Created: 05/Mar/14  Updated: 08/Nov/19

Status: Dev backlog
Project: OpenDJ
Component/s: core server, monitoring
Affects Version/s: 2.6.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Chris Ridd Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: release-notes

Support Ticket IDs:

 Description   

Enable the JMX connection handler.

Connect using jconsole to the local JVM, ie using the same login account. The JMXMBean.getClientConnection() method is called, but returns null for the clientConnection because the subject returned from javax.security.auth.Subject.getSubject(acc) is null.

A null connection causes us to return an MBeanInfo that doesn't expose any attributes.

However remote connections have a subject (the DN entered in jconsole) and so the clientConnection is non-null and consequently we expose monitoring attributes to remote connections.

A debugger shows that acc.isPrivileged is true for local connections and false for remote connections. Similarly, acc.isAuthorized is true for local connections and false for remote connections. However those are private to the acc object...

https://blogs.oracle.com/lmalventosa/entry/jmx_authentication_authorization suggests that a null Subject indicates a local connection; some testing suggests that trying to connect anonymously over a remote connection fails before this method is called.



 Comments   
Comment by Matthew Swift [ 12/Jul/17 ]

On a related subject, I wonder whether OpenDJ should be relaxed in the case where the JMX connection handler is disabled.

At the moment none of the OpenDJ specific JMX beans are visible when the JMX connection handler disabled. This seems a little paranoid and makes OpenDJ harder to use and demo OOTB. It would be nice if OpenDJ behaved like other applications and exposed all of its beans, so to speak, by default for local connections. If users want stricter controls for local access then they can enable the JMX connection handler.

Comment by Matthew Swift [ 12/Jul/17 ]

In fact, relaxing the default behavior may be required in order to align with the rest of the stack.

Generated at Mon Nov 18 06:16:58 GMT 2019 using Jira 7.13.8#713008-sha1:1606a5c1e7006e1ab135aac81f7a9566b2dbc3a6.