0

I have an RMI server which uses JAAS as authentication mechanism and exposes several business objects (MBeans). The JAAS login module contains multiple credentials each associated with different permissions, e.g. READ-ONLY, READ-WRITE, DEV etc. MBeans in turn are to rely on those permissions in order to allow/reject certain method calls.

I have spent a good few days researching/experimenting and so far could not find a mechanism which would allow MBeans to determine the authenticated RMI user when a call is invoked on them.

First of all I am aware that there is RemoteServer::getClientHost(), but identifying a client by IP is not suitable since multiple processes could potentially connect from a single IP.

So far, my findings are:

  1. When an RMI connection is established the user is authenticated and a new RMIConnectionImpl instance is created
  2. RMIConnectionImpl contains authentication subject/principals as well as what looks like a unique connection id
  3. None of the identifying information of RMIConnectionImpl is available/retrievable when remote calls are made

Since it seems to be impossible to figure out which RMIConnectionImpl the call is coming from I have initially tried to use the thread which was attempting JAAS authentication as identifier. That plan didn't work since, naturally, RMI uses thread pools and subsequent remote method invocations were not guaranteed to be carried out by the same thread.

Another idea I contemplated was to use AspectJ LTW to intercept RMIConnectionImpl::invoke(..) and to associate a user with a thread through some global ThreadLocal. But there is a world of pain to get it all working, plus it does feel like a massive overkill.

Surely there must be a simpler solution to this really common use case. Hence I am quite puzzled and worried I might be missing something big here.

Any help/suggestions would be much appreciated.

Stepan Kolesnik
  • 614
  • 1
  • 7
  • 12
  • See my many answers here about the RM Remote Session pattern. – user207421 Jan 30 '18 at 22:38
  • @EJP, sure, session pattern can be used but it requires a custom authentication layer on top of the native RMI authentication. My question is whether it is possible to integrate native RMI authentication nicely, so that, for example, clients could use a JConsole to manage the server and beans are aware who's using them. – Stepan Kolesnik Jan 30 '18 at 23:27
  • What 'native RMI authentication'? There isn't any. Are you talking about *Spring* RMI by any chance? Or something else? There is no `RMIConnectionImpl` in the JDK. – user207421 Jan 31 '18 at 03:01
  • There is a native RMI authentication according to [JDK documentation](https://docs.oracle.com/cd/E19698-01/816-7609/security-35/index.html). The example uses basic auth, but it shouldn't really matter, underneath it relies on JMXAuthenticator which can be custom. Also, [RMIConnectionImpl](https://docs.oracle.com/javase/7/docs/api/javax/management/remote/rmi/RMIConnectionImpl.html) – Stepan Kolesnik Jan 31 '18 at 11:18
  • That's not native RMI, it is an RMI layer belonging to JMX. – user207421 Feb 01 '18 at 02:28
  • @EJP, yes, you are correct, it is JMX-specific. I have amended the title. – Stepan Kolesnik Feb 01 '18 at 14:58

0 Answers0