GEODE-7373: add jmx credential type constraint (#4236)
diff --git a/geode-core/src/integrationTest/java/org/apache/geode/management/internal/security/JmxCredentialTypeTest.java b/geode-core/src/integrationTest/java/org/apache/geode/management/internal/security/JmxCredentialTypeTest.java
new file mode 100644
index 0000000..69c369e
--- /dev/null
+++ b/geode-core/src/integrationTest/java/org/apache/geode/management/internal/security/JmxCredentialTypeTest.java
@@ -0,0 +1,49 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package org.apache.geode.management.internal.security;
+
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.management.remote.JMXConnector;
+
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+
+import org.apache.geode.examples.SimpleSecurityManager;
+import org.apache.geode.test.junit.rules.LocatorStarterRule;
+import org.apache.geode.test.junit.rules.MBeanServerConnectionRule;
+
+public class JmxCredentialTypeTest {
+
+ @ClassRule
+ public static LocatorStarterRule locator = new LocatorStarterRule().withSecurityManager(
+ SimpleSecurityManager.class).withAutoStart();
+
+ @Rule
+ public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule();
+
+ @Test
+ public void testWithNonStringCredential() throws Exception {
+ Map<String, Object> env = new HashMap<>();
+ env.put(JMXConnector.CREDENTIALS, new Integer(0));
+ assertThatThrownBy(() -> connectionRule.connect("localhost", locator.getJmxPort(), env))
+ .hasMessageContaining("filter status: REJECTED");
+ }
+}
diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/shiro/JMXShiroAuthenticator.java b/geode-core/src/main/java/org/apache/geode/internal/security/shiro/JMXShiroAuthenticator.java
index 2bb1a3c..c1298be 100644
--- a/geode-core/src/main/java/org/apache/geode/internal/security/shiro/JMXShiroAuthenticator.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/security/shiro/JMXShiroAuthenticator.java
@@ -50,10 +50,7 @@
public Subject authenticate(Object credentials) {
String username = null;
Properties credProps = new Properties();
- if (credentials instanceof Properties) {
- credProps = (Properties) credentials;
- username = credProps.getProperty(ResourceConstants.USER_NAME);
- } else if (credentials instanceof String[]) {
+ if (credentials instanceof String[]) {
final String[] aCredentials = (String[]) credentials;
username = aCredentials[0];
credProps.setProperty(ResourceConstants.USER_NAME, aCredentials[0]);
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/ManagementAgent.java b/geode-core/src/main/java/org/apache/geode/management/internal/ManagementAgent.java
index a0093b3..62dd471 100755
--- a/geode-core/src/main/java/org/apache/geode/management/internal/ManagementAgent.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/ManagementAgent.java
@@ -349,9 +349,15 @@
// Retrieve the PlatformMBeanServer.
MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
- // Environment map. why is this declared as HashMap?
+ // Environment map
final HashMap<String, Object> env = new HashMap<>();
+ // this makes sure the credentials passed to make the connection has to be in the form of String
+ // or String[]. Other form of credentials will not get de-serialized
+ env.put("jmx.remote.rmi.server.credential.types", new String[] {
+ String[].class.getName(),
+ String.class.getName()});
+
// Manually creates and binds a JMX RMI Connector Server stub with the
// registry created above: the port we pass here is the port that can
// be specified in "service:jmx:rmi://"+hostname+":"+port - where the
@@ -396,12 +402,12 @@
@Override
public synchronized void start() throws IOException {
+ super.start();
try {
- registry.bind("jmxrmi", stub);
+ registry.bind("jmxrmi", stub.toStub());
} catch (AlreadyBoundException x) {
throw new IOException(x.getMessage(), x);
}
- super.start();
}
};