RFR: 8333344: JMX attaching of Subject does not work when security manager not allowed [v18]

Kevin Walls kevinw at openjdk.org
Tue Jun 18 10:52:13 UTC 2024 

On Mon, 17 Jun 2024 20:51:34 GMT, Kevin Walls <kevinw at openjdk.org> wrote:

>> JMX uses APIs related to the Security Mananger which are deprecated.  Use of AccessControlContext will be removed when Security Manager is removed.
>> 
>> Until then, updates are needed to not require setting  -Djava.security.manager=allow to use JMX authentication.
>
> Kevin Walls has updated the pull request incrementally with one additional commit since the last revision:
> 
>   braces

Yes, maybe we are light on testing with an SM actually enabled.  AuthorizationTest is the key test here, and tests authenticated connections with user/role names.  That is passing with no SM, SM allowed, and SM enabled with policy.

I am testing ThreadPoolAccTest.java with SM enabled with an allPermission policy, as well as just SM allowed or not allowed.  This is a good test as it exercises the Monitor class.  This still works, will add it.

Also, manual testing looks good to me:

In problem builds of jdk 23, attaching with JMX using authentication results in:
org.openjdk.kjdb.MyDebuggerException: getSubject is supported only if a security manager is allowed

With this change, JMX attach using authentication works.  A monitor role can correctly get refusals like:

Caused by: java.lang.SecurityException: Access denied! Invalid access level for requested MBeanServer operation.
        at com.sun.jmx.remote.security.MBeanServerFileAccessController.checkAccess(MBeanServerFileAccessController.java:348)
        at com.sun.jmx.remote.security.MBeanServerFileAccessController.checkWrite(MBeanServerFileAccessController.java:240)
        at com.sun.jmx.remote.security.MBeanServerAccessController.invoke(MBeanServerAccessController.java:469)
        at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1520)

...and a control role is accepted (that's JMX simple security at work).

Running the target with a SecurityManager, and attaching, I see e.g.:
org.openjdk.kjdb.MyDebuggerException: access denied ("javax.management.MBeanPermission" "com.sun.management.internal.HotSpotThreadImpl#-[java.lang:type=Threading]" "isInstanceOf")

...which looks correct.

Add a -Djava.security.policy=/my/all.policy 
which has allPermission, and connections work OK.  Removing AllPermission from that policy, we get Exceptions again.
This looks good.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/19624#issuecomment-2175801724

More information about the serviceability-dev mailing list