Does anybody know how to secure the JNDI access for remote clients on JBoss?
I know how to secure remote JMX invokers but even with that in effect it is still possile to lookup, bind and unbind things in JNDI even if the client is not authenticated.
I would like that that the server refuses to give you access to the InitialContext if you are not authenticated and to make it read only for some clients. Is this possible?
I am using JBoss 5.1.0 GA with jdk6
The instructions on how to do this are in the JBoss Wiki. It is not perfect, but it works.
Even if the article only mentions versions 3 and 4 of JBoss it still works with 5.1.0 GA.
Related
I did search on jBoss EAP 7.x documentation but didn't find any detailed explanation on how to do the configuration I'm looking for: [jBoss EAP 7.2] <--Remote queues--> [jBoss EAP 7.2 - The actual Queues are here]
As I used to do on jBoss EAP 6.4, I was using Netty with remoting configuration with Acceptor/Connector on Client Side with a defaut remoting on the port 5445.
I'm here to find out the best used practice on how to configure and what are the Actual configurations to be done (which variable on which module etc...)
Thank you community.
You shjould be able to do the same: create a connection factory and a connector on your 'client' server to connect to the acceptor on the 'server' server.
As proposed the solution:
- Using Acceptor on "Server" server side
- Using Connecor on "Server" client side
Another hint is using the Outbound-socket-binding to choose where to the remote queues will publish/read data.
Thanks community.
I have tomcat and JNDI point in system.
I need to use this point for connecting remote consumers. I read that tomcat doesn't share its JNDI, if so, how to set up a separate JNDI server on my network or is there any way to configure tomcat to share JNDI?
There is no such thing as a 'JNDI server'. JNDI is a client-side API that interfaces to various naming technologies.
You could consider an LDAP server.
Is it possible to deploy different versions of single application on one IBM Websphere Application Server (WAS)?
For example I have:
App1 with url binding http://app/1.0/service/
App2 with url binding http://app/2.0/service/
Is it possible?
I think not due to port listening issue, but maybe there is some chance...
It should be possible, but with some restrictions (depending on your application). If you have WAS ND 8.5.5, then you have Application Edition management feature. Read more details on that page.
If you are on the older version, you will have to change several things during deployment, e.g.:
context-root of the application
JNDI EJB binding names
if other version is using different database - update the JDBC references
if other version is using additional resources (like queues, qcf) update them also.
Actually, port listening has nothing to do with it, as both application will use same port, but different context-roots.
This of course assumes that application doesn't have hard coded values in it (like context root, jndi names, etc).
Jolokia is uncharted territory for me, and after having read the documentation, I'm still not sure if it'll work with the scenario I have in mind.
Setup:
Tomcat application server (version ranges from 6.x to 7.x), usually on a Windows platform, occasionally a flavour of Linux.
Deployed third-party Java web application (SAP BusinessObjects) with JMX monitoring enabled (accessible through RMI).
Possible gotcha's:
The Java web application to be monitored is commercial and closed source, so modifications are not possible. The only thing that can be changed is the JMX port number
The JMX endpoint is a custom one, thus not the default jmxrmi endpoint.
The JMX connection requires authentication.
Goal:
What I'd like to do is to deploy the Jolokia WAR file onto the Tomcat server and then configure it so that I can read the MBean attributes from the other web application.
I would code the client myself using Python (version 3) and the Requests HTTP library.
I've been reading through the Jolokia documentation (again, I'm a complete newbie at this point), but can't figure out if this would be possible or not (as I can't seem to find where to enter the JMX/RMI url or the authentication information).
Questions:
Can I use the WAR agent for this setup?
If not, can you please explain why (so I can understand, not because I don't believe you). Also, is there another agent that's more suited for this scenario?
If yes, can you point me in the right direction how to configure the Jolokia to the web application to connect to?
First of all, Jolokia by passes the JSR-160 connector stuff completely, so there is no need for any JMX/RMI authentication. The whole purpose of Jolokia is to provide a bridge over HTTP/JSON to the internal JMX subsystem. Depending on the agent, you can secure Jolokia quite easily. For the WAR agent, securing is the same as for any Java EE web app: Setup some roles and users for tomcat (e.g. in tomcat-users.xml) and reference the role in the security contstraints within the jolokia.war's /WEB-INF/web.xml.
To your questions:
Yes, you can. If you don't have any specific authentication needs, simply drop the jolokia.war into tomcat's /webapps directory. I suggest to try this first before adding security. For deinstalling the agent, simply remove the war.
As an alternative, you could also use the JVM agent, which opens an own HTTP server on an extra port (default: 8778). More on this in the reference manual
There is no need for a dedicated connection to the web app since MBeans are registered globally and are accesible from anywhere in the JVM. A webapp should of course select carefully the management information it exposes. So, there is no extra step needed and you can access the MBeans for the WEB app directly (except when it does something unusual with Java security, but I don't think so).
To test the installation, simply connect to the Tomcat with your browser and the context /jolokia (e.g. "http://localhost:8080/jolokia"). You should see the version information about the agent itself.
The next step would be to explore the JMX namespace, either with the browser (and operation "list" like in http://localhost:8080/jolokia/list , but that's tedious) or with a client like j4psh or hawt.io. Hopefully you will find the MBeans of your webapp you are looking for.
I created a small standalone client using:
weblogic.jndi.WLInitialContextFactory
t3://weblogic-server:7001
jms.xyz.jmsXyzCf
jms/xyz/jmsXyzLogQueue
And it works flawlessly.
When a try to run the same code from my websphere server I get NullPointerException. I understand this happens because I don't have weblogic classes in the classpath:
Caused by: java.lang.NullPointerException
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:235)
at javax.naming.InitialContext.initializeDefaultInitCtx(InitialContext.java:327)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:357)
at javax.naming.InitialContext.internalInit(InitialContext.java:295)
at javax.naming.InitialContext.(InitialContext.java:212)
When I try to add them I get some "Security" errors
Current Java 2 Security policy reported a potential violation of Java 2 Security Permission.
java.security.AccessControlException: Access denied (java.lang.RuntimePermission exitVM.0)
at java.security.AccessController.checkPermission(AccessController.java:108)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:533)
at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:211)
at java.lang.SecurityManager.checkExit(SecurityManager.java:745)
at java.lang.Runtime.exit(Runtime.java:100)
at java.lang.System.exit(System.java:297)
As last resource, I tried to connect using websphere own context factory: com.ibm.websphere.naming.WsnInitialContextFactory but of course it fails because it doesn't understand t3.
Question
How can I connect to a weblogic JMS from Websphere?
WebSphere isn't exactly known for its friendliness towards running system-level functionality (such as JNDI) using third party implementations. You will have to, at the end, use WebSphere's classes (including WebSphere's InitialContextFactory implementation).
When running under WebSphere, you don't need (and actually, shouldn't) explicitly specify the InitialContextFactory implementation; WebSphere can (and should) conclude it itself.
If I understand correctly, you're trying to connect to WebLogic JMS Administered Objects from within a WebSphere server process. The only way I can think of, to do that, would be to obtain WebLogic JMS's implementation classes and adding it as a JMS provider, then use JNDI to look it up. I'll be happy to stand corrected, though.