JMX Client Session
I've bean studying JMX for a while, but I'm stuck.
I have an application that exposes some functionality to remote clients via JMX, although existi开发者_如何学Gong security features may be sufficiant for most cases my application uses Apache Shiro framework as the security backend.
My problem is that i don't how to gather client data serverside. Shiro needs a way to identify a client (subject), normally executing thread is associated with a subject but online JMX documentation does not give much clue about thread model of remote JMX.
How can i associate a client with a thread or is there a way to retrieve client data inside the interacted MBeans?
After researching and trying different techniques; there are two winners:
1- New feature called ClientContext that will be a part of Java 7: Java 7 is not yet complete, and ClientContext will break backwards compatibility.
2- Attaching Shiro subject to AccessControlContext: This is the solution I choose, Shiro's default subject retrieval mechanism does not consider Java's access control context. I ran a test a long ago to test this but it didn't work. Now I know why: by default SecurityUtils.getSubject() call attaches the retrieved Subject to the currently calling thread, but this approach is useless since threads can be shared between clients. But AccessControlContext is much more powerful, and it looks like JMX plays nicely with it; your access control context (which is authenticated during login at JMXAuthenticator) can be accessed from a MBeanServerForwarder or even inside your MBean. I tested this with a multiple clients retrieving their principal, it simply works.
Edit: How i attach Shiro subject to the current AccessControlContext?
1- Create an unattached Shiro subject using the builder class Subject.Builder.
2- Authenticate the user (using Shiro subject's login method, etc.)
3- Create a mutable JAAS subject with a singleton set containing the Shiro subject as the private credentials.
4- Provide the JAAS subject to the underlying Java security System (for example, Return the subject inside a JMXAuthenticator's authentication method)
A helper class can be created to simplify this approach. When you need an action to be performed on behalf of the Shiro subject (for authorization, etc.), get it from AccessControlContext and use one of the Subject.execute... methods. This can be performed inside a proxy or a forwarder (like MBeanServerForwarder).
精彩评论