Re: jmx-dev RFR: 8333344: JMX attaching of Subject does not work when security manager not allowed [v18]

Tue, 18 Jun 2024 03:53:22 -0700 

On Mon, 17 Jun 2024 20:51:34 GMT, Kevin Walls <kev...@openjdk.org> wrote:

>> JMX uses APIs related to the Security Mananger which are deprecated.  Use of 
>> AccessControlContext will be removed when Security Manager is removed.
>> 
>> Until then, updates are needed to not require setting  
>> -Djava.security.manager=allow to use JMX authentication.
>
> Kevin Walls has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   braces

Yes, maybe we are light on testing with an SM actually enabled.  
AuthorizationTest is the key test here, and tests authenticated connections 
with user/role names.  That is passing with no SM, SM allowed, and SM enabled 
with policy.

I am testing ThreadPoolAccTest.java with SM enabled with an allPermission 
policy, as well as just SM allowed or not allowed.  This is a good test as it 
exercises the Monitor class.  This still works, will add it.

Also, manual testing looks good to me:

In problem builds of jdk 23, attaching with JMX using authentication results in:
org.openjdk.kjdb.MyDebuggerException: getSubject is supported only if a 
security manager is allowed

With this change, JMX attach using authentication works.  A monitor role can 
correctly get refusals like:

Caused by: java.lang.SecurityException: Access denied! Invalid access level for 
requested MBeanServer operation.
        at 
com.sun.jmx.remote.security.MBeanServerFileAccessController.checkAccess(MBeanServerFileAccessController.java:348)
        at 
com.sun.jmx.remote.security.MBeanServerFileAccessController.checkWrite(MBeanServerFileAccessController.java:240)
        at 
com.sun.jmx.remote.security.MBeanServerAccessController.invoke(MBeanServerAccessController.java:469)
        at 
javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1520)

...and a control role is accepted (that's JMX simple security at work).

Running the target with a SecurityManager, and attaching, I see e.g.:
org.openjdk.kjdb.MyDebuggerException: access denied 
("javax.management.MBeanPermission" 
"com.sun.management.internal.HotSpotThreadImpl#-[java.lang:type=Threading]" 
"isInstanceOf")

...which looks correct.

Add a -Djava.security.policy=/my/all.policy 
which has allPermission, and connections work OK.  Removing AllPermission from 
that policy, we get Exceptions again.
This looks good.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/19624#issuecomment-2175801724

Reply via email to