QPID-1511 : Adds authentication and ssl encryption capabilities to the RMI based JMXConnectorServer in use, enforces use of the custom MBeanInvocationhandlerImp when using the RMI based JMX, and implements a customised RMI registry to prevent external changes being possible. Updated Management console accordingly.

Patch from Robbert Gemmell <gemmellr@dcs.gla.ac.uk>

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@744113 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 39 insertions, 17 deletions

diff --git a/java/management/common/src/main/java/org/apache/qpid/management/common/JMXConnnectionFactory.java b/java/management/common/src/main/java/org/apache/qpid/management/common/JMXConnnectionFactory.java
index c9955329d0..f5831c9e28 100644
--- a/java/management/common/src/main/java/org/apache/qpid/management/common/JMXConnnectionFactory.java
+++ b/java/management/common/src/main/java/org/apache/qpid/management/common/JMXConnnectionFactory.java
@@ -29,6 +29,7 @@ import java.util.Map;
 import javax.management.remote.JMXConnector;
 import javax.management.remote.JMXConnectorFactory;
 import javax.management.remote.JMXServiceURL;
+import javax.net.ssl.SSLException;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.sasl.SaslClientFactory;
 
@@ -40,8 +41,13 @@ import org.apache.qpid.management.common.sasl.UserPasswordCallbackHandler;
 import org.apache.qpid.management.common.sasl.UsernameHashedPasswordCallbackHandler;
 
 public class JMXConnnectionFactory {
-
-	public static JMXConnector getJMXConnection(long timeout, String host, int port, String username, String password) throws Exception
+	
+	private static final String NON_JRMP_SERVER = "non-JRMP server at remote endpoint";
+	private static final String SERVER_SUPPORTED_PROFILES = "The server supported profiles";
+	private static final String CLIENT_REQUIRED_PROFILES = "do not match the client required profiles";
+	
+	public static JMXConnector getJMXConnection(long timeout, String host, int port, String username, String password) 
+	                                                                        throws SSLException, IOException, Exception
 	{
 		//auto-negotiate an RMI or JMXMP (SASL/CRAM-MD5 or SASL/PLAIN) JMX connection to broker
         try
@@ -51,11 +57,30 @@ public class JMXConnnectionFactory {
         catch (IOException rmiIOE)
         {
             // check if the ioe was raised because we tried connecting to a non RMI-JRMP based JMX server
-            boolean jrmpServer = !rmiIOE.getMessage().contains("non-JRMP server at remote endpoint");
+            boolean jrmpServer = !rmiIOE.getMessage().contains(NON_JRMP_SERVER);
 
             if (jrmpServer)
             {
-                throw rmiIOE;
+                //it was an RMI-JRMP based JMX server, so something else went wrong. Check for SSL issues.
+                Throwable rmiIOECause = rmiIOE.getCause();
+                boolean isSSLException = false;
+                if (rmiIOECause != null)
+                {
+                    isSSLException = rmiIOECause instanceof SSLException;
+                }
+                
+                //if it was an SSLException based cause, throw it
+                if (isSSLException)
+                {
+                    throw (SSLException) rmiIOECause;
+                }
+                else
+                {
+                    //can't determine cause, throw new IOE citing the original as cause
+                    IOException nioe = new IOException();
+                    nioe.initCause(rmiIOE);
+                    throw nioe;
+                }
             }
             else
             {
@@ -67,8 +92,8 @@ public class JMXConnnectionFactory {
                 catch (IOException cramIOE)
                 {
                     // check if the IOE was raised because we tried connecting to a SASL/PLAIN server using SASL/CRAM-MD5
-                    boolean plainProfileServer = cramIOE.getMessage().contains("The server supported profiles [SASL/PLAIN]" +
-                    					                            " do not match the client required profiles [SASL/CRAM-MD5]");
+                    boolean plainProfileServer = cramIOE.getMessage().contains(SERVER_SUPPORTED_PROFILES + 
+                    		" [" + Constants.SASL_PLAIN + "] " + CLIENT_REQUIRED_PROFILES + " [" + Constants.SASL_CRAMMD5 + "]");
 
                     if (!plainProfileServer)
                     {
@@ -87,7 +112,7 @@ public class JMXConnnectionFactory {
                         {
                             /* Out of options now. Check that the IOE was raised because we tried connecting to a server
                              * which didnt support SASL/PLAIN. If so, signal an unknown profile type. If not, raise the exception. */
-                            boolean unknownProfile = cramIOE.getMessage().contains("do not match the client required profiles [SASL/PLAIN]");
+                            boolean unknownProfile = plainIOE.getMessage().contains(CLIENT_REQUIRED_PROFILES + " [" + Constants.SASL_PLAIN + "]");
 
                             if (unknownProfile)
                             {
@@ -106,18 +131,19 @@ public class JMXConnnectionFactory {
         }
 	}
 	
-	private static JMXConnector createJMXconnector(String connectionType, long timeout, String host, int port, String userName, String password) throws IOException, Exception
+	private static JMXConnector createJMXconnector(String connectionType, long timeout, String host, int port, 
+	                                                String userName, String password) throws IOException, Exception
     {
 	    Map<String, Object> env = new HashMap<String, Object>();
-	    String securityMechanism = null;
 	    JMXServiceURL jmxUrl = null;
 	    
         if (connectionType == "RMI")
         {
-            securityMechanism = Constants.MECH_PLAIN;
-
             jmxUrl = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://" + host + ":" + port + "/jmxrmi");
-            env = null;
+
+            //Add user credential's to environment map for RMIConnector startup. 
+            //These will be used for authentication by the remote RMIConnectorServer if supported, or ignored otherwise.
+            env.put(JMXConnector.CREDENTIALS, new String[] {userName,password});
         }
         else if (connectionType.contains("JMXMP"))
         {
@@ -143,8 +169,6 @@ public class JMXConnnectionFactory {
 
             if (connectionType == "JMXMP_CRAM-MD5")
             {
-                securityMechanism = Constants.MECH_CRAMMD5;
-
                 Map<String, Class<? extends SaslClientFactory>> map = new HashMap<String, Class<? extends SaslClientFactory>>();
                 map.put("CRAM-MD5-HASHED", CRAMMD5HashedSaslClientFactory.class);
                 Security.addProvider(new JCAProvider(map));
@@ -156,8 +180,6 @@ public class JMXConnnectionFactory {
             }
             else if (connectionType == "JMXMP_PLAIN")
             {
-                securityMechanism = Constants.MECH_PLAIN;
-
                 Security.addProvider(new SaslProvider());
                 CallbackHandler handler = new UserPasswordCallbackHandler(userName, password);
                 env.put("jmx.remote.profiles", Constants.SASL_PLAIN);
@@ -165,7 +187,7 @@ public class JMXConnnectionFactory {
             }
             else
             {
-                throw new Exception("Unknown authentication mechanism");
+                throw new Exception("Unknown JMXMP authentication mechanism");
             }
         }
         else