Permalink
Browse files

#3950 enabled basic auth on the MX4J web console

  • Loading branch information...
1 parent 305b92a commit d72754e7d1ff5d51cce804f0e8f825692a94072c @ddossot ddossot committed Nov 4, 2013
@@ -170,6 +170,16 @@ public String getSubDir()
* HTTP API port. Defaults to 8889.
*/
int getHttpPort();
+
+ /**
+ * Optional username needed to authenticate on the JMX HTTP web interface.
+ */
+ String getHttpAuthenticationUsername();
+
+ /**
+ * Optional password needed to authenticate on the JMX HTTP web interface.
+ */
+ String getHttpAuthenticationPassword();
}
public static enum RServiClientPoolValidationStrategy
@@ -43,6 +43,7 @@
import eu.openanalytics.rsb.config.Configuration.CatalogSection;
import eu.openanalytics.rsb.config.Configuration.DepositDirectoryConfiguration;
import eu.openanalytics.rsb.config.Configuration.DepositEmailConfiguration;
+import eu.openanalytics.rsb.config.Configuration.JmxConfiguration;
import eu.openanalytics.rsb.data.FileCatalogManager;
/**
@@ -198,6 +199,18 @@ private static PersistedConfigurationAdapter loadConfigurationStream(final URL c
}
}
+ if (pca.getJmxConfiguration() != null)
+ {
+ final JmxConfiguration jmxConfiguration = pca.getJmxConfiguration();
+
+ if (StringUtils.isNotBlank(jmxConfiguration.getHttpAuthenticationUsername()))
+ {
+ validateIsTrue(StringUtils.isNotBlank(jmxConfiguration.getHttpAuthenticationPassword()),
+ "Both username and password must be provided when securing the JMX HTTP console",
+ validationErrors);
+ }
+ }
+
return validationErrors;
}
@@ -126,16 +126,27 @@ public void setPassword(final String password)
public static class PersistedJmxConfiguration implements JmxConfiguration
{
- private static final long serialVersionUID = 1L;
- private int stubPort;
- private int registryPort;
- private int httpPort;
+ private static final long serialVersionUID = 2L;
+
+ private int stubPort, registryPort, httpPort;
+ private String httpAuthenticationUsername, httpAuthenticationPassword;
public PersistedJmxConfiguration(final int stubPort, final int registryPort, final int httpPort)
{
+ this(stubPort, registryPort, httpPort, null, null);
+ }
+
+ public PersistedJmxConfiguration(final int stubPort,
+ final int registryPort,
+ final int httpPort,
+ final String httpAuthenticationUsername,
+ final String httpAuthenticationPassword)
+ {
this.stubPort = stubPort;
this.registryPort = registryPort;
this.httpPort = httpPort;
+ this.httpAuthenticationUsername = httpAuthenticationUsername;
+ this.httpAuthenticationPassword = httpAuthenticationPassword;
}
public PersistedJmxConfiguration()
@@ -175,6 +186,28 @@ public void setHttpPort(final int httpPort)
{
this.httpPort = httpPort;
}
+
+ @Override
+ public String getHttpAuthenticationUsername()
+ {
+ return httpAuthenticationUsername;
+ }
+
+ public void setHttpAuthenticationUsername(final String httpAuthenticationUsername)
+ {
+ this.httpAuthenticationUsername = httpAuthenticationUsername;
+ }
+
+ @Override
+ public String getHttpAuthenticationPassword()
+ {
+ return httpAuthenticationPassword;
+ }
+
+ public void setHttpAuthenticationPassword(final String httpAuthenticationPassword)
+ {
+ this.httpAuthenticationPassword = httpAuthenticationPassword;
+ }
}
public static class PersistedJobStatisticsHandlerConfiguration
@@ -0,0 +1,62 @@
+/*
+ * R Service Bus
+ *
+ * Copyright (c) Copyright of OpenAnalytics BVBA, 2010-2013
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package eu.openanalytics.rsb.security;
+
+import mx4j.tools.adaptor.http.HttpAdaptor;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import eu.openanalytics.rsb.config.Configuration;
+import eu.openanalytics.rsb.config.Configuration.JmxConfiguration;
+
+/**
+ * Sub-class of {@link HttpAdaptor} that reads security configuration from RSB configuration and
+ * sets it on the adaptor.
+ *
+ * @author "OpenAnalytics &lt;rsb.development@openanalytics.eu&gt;"
+ */
+public class SecurableMx4JHttpAdaptor extends HttpAdaptor
+{
+ private final Log LOGGER = LogFactory.getLog(SecurableMx4JHttpAdaptor.class);
+
+ public SecurableMx4JHttpAdaptor(final Configuration configuration)
+ {
+ super();
+
+ final JmxConfiguration jmxConfiguration = configuration.getJmxConfiguration();
+
+ if (jmxConfiguration != null)
+ {
+ if (StringUtils.isNotBlank(jmxConfiguration.getHttpAuthenticationUsername()))
+ {
+ addAuthorization(jmxConfiguration.getHttpAuthenticationUsername(),
+ jmxConfiguration.getHttpAuthenticationPassword());
+
+ setAuthenticationMethod("basic");
+
+ LOGGER.info("Basic authentication active");
+ }
+ }
+ }
+}
@@ -22,7 +22,8 @@
@author rsb.development@openanalytics.eu
-->
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context"
- xmlns:p="http://www.springframework.org/schema/p" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
@@ -31,9 +32,10 @@
p:locateExistingServerIfPossible="true" />
<bean id="mx4jXsltProcessor" class="mx4j.tools.adaptor.http.XSLTProcessor" />
- <bean id="mx4jHttpAdaptor" class="mx4j.tools.adaptor.http.HttpAdaptor"
- init-method="start" destroy-method="stop" p:host="0.0.0.0"
- p:port="#{configuration.jmxConfiguration.httpPort}" p:processor-ref="mx4jXsltProcessor">
+ <bean id="mx4jHttpAdaptor" class="eu.openanalytics.rsb.security.SecurableMx4JHttpAdaptor"
+ c:configuration-ref="configuration" init-method="start" destroy-method="stop"
+ p:host="0.0.0.0" p:port="#{configuration.jmxConfiguration.httpPort}"
+ p:processor-ref="mx4jXsltProcessor">
</bean>
<bean id="mbeanExporter" class="org.springframework.jmx.export.MBeanExporter"
@@ -69,8 +71,7 @@
<bean class="org.springframework.jmx.support.ConnectorServerFactoryBean"
p:objectName="connector:name=rmi"
p:serviceUrl="service:jmx:rmi://127.0.0.1:#{configuration.jmxConfiguration.stubPort}/jndi/rmi://localhost:#{configuration.jmxConfiguration.registryPort}/myconnector"
- p:registrationPolicy="IGNORE_EXISTING"
- depends-on="rmiRegistry" />
+ p:registrationPolicy="IGNORE_EXISTING" depends-on="rmiRegistry" />
<bean id="rmiRegistry" class="org.springframework.remoting.rmi.RmiRegistryFactoryBean"
p:port="#{configuration.jmxConfiguration.registryPort}" />
@@ -90,5 +90,18 @@
"applicationAwareCatalog" : true
</pre>
</section>
+ <section name="JMX Web UI (MX4J)">
+ <p>It's possible to secure the JMX Web UI with HTTP Basic Auth by configuring a dedicated username / password pair in the RSB configuration:</p>
+ <pre>
+ "jmxConfiguration": {
+ "stubPort": 1098,
+ "registryPort": 1099,
+ "httpPort": 8889,
+ "httpAuthenticationUsername": "jmxui_username",
+ "httpAuthenticationPassword": "jmxui_pass"
+ }
+ </pre>
+ <p>It is recommended to enable SSL encryption for the JMX Web UI by using a frontal web-server, like Nginx.</p>
+ </section>
</body>
</document>
@@ -16,7 +16,8 @@
"host": "localhost", "port": 25, "username": "", "password": ""
},
"jmxConfiguration": {
- "stubPort": 1098, "registryPort": 1099, "httpPort": 8889
+ "stubPort": 1098, "registryPort": 1099, "httpPort": 8889,
+ "httpAuthenticationUsername":"a_user", "httpAuthenticationPassword":"a_password"
},
"depositRootDirectories": [
{
@@ -16,7 +16,8 @@
"host": "localhost", "port": 25, "username": "", "password": ""
},
"jmxConfiguration": {
- "stubPort": 1098, "registryPort": 1099, "httpPort": 8889
+ "stubPort": 1098, "registryPort": 1099, "httpPort": 8889,
+ "httpAuthenticationUsername":"a_user", "httpAuthenticationPassword":"a_password"
},
"depositRootDirectories": [
{

0 comments on commit d72754e

Please sign in to comment.