1

我使用 jboss-5.0.1.GA,我想限制对 shutdown.sh 的访问

在 jmx-console-users.properties 中,我有

admin=<password>

在 jmx-invoker-service.xml 中,我取消了拦截器的注释

 <descriptors>
           <interceptors>
              <!-- Uncomment to require authenticated users-->
              <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
                 securityDomain="java:/jaas/jmx-console"/>

              <!-- Interceptor that deals with non-serializable results -->
              <interceptor code="org.jboss.jmx.connector.invoker.SerializableInterceptor"
                 policyClass="StripModelMBeanInfoPolicy"/>
           </interceptors>
        </descriptors>

我试过命令

../jboss-5.0.1.GA/bin/shutdown.sh -u admin -p <password>

我得到以下异常:

Exception in thread "main" java.lang.SecurityException: Failed to authenticate principal==admin, securityDomain=jmx-console
    at org.jboss.jmx.connector.invoker.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:88)
    at org.jboss.mx.server.Invocation.invoke(Invocation.java:90)
    at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
    at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
    at org.jboss.invocation.jrmp.server.JRMPProxyFactory.invoke(JRMPProxyFactory.java:180)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
    at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
    at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
    at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
    at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668) ......

我错过了什么吗?

4

4 回答 4

1

我知道这是一年半前的帖子,但我在研究相同问题时发现这是第一次搜索。对于遇到此问题的任何人,这是由于 JBoss 5 附带的 init 脚本不正确。请参考 bugzilla 链接https://bugzilla.redhat.com/show_bug.cgi?id=777710,其中包含文件 EAP_43_jboss_init_redhat.sh向进程抛出 SIGTERM 信号,而不是调用 JBoss 关闭命令。以供参考,以防 bugzilla 链接不可用,这里也发布了 init 脚本。

#!/bin/sh
#
# $Id: jboss_init_redhat.sh 71029 2008-03-19 21:58:46Z dbhole $
#
# JBoss Control Script
#
# To use this script run it as root - it will switch to the specified user
#
# Here is a little (and extremely primitive) startup/shutdown script
# for RedHat systems. It assumes that JBoss lives in /usr/local/jboss,
# it's run by user 'jboss' and JDK binaries are in /usr/local/jdk/bin.
# All this can be changed in the script itself. 
#
# Either modify this script for your requirements or just ensure that
# the following variables are set correctly before calling the script.

#define where jboss is - this is the directory containing directories log, bin, conf etc
JBOSS_HOME=${JBOSS_HOME:-"/usr/local/jboss"}

#define the user under which jboss will run, or use 'RUNASIS' to run as the current user
JBOSS_USER=${JBOSS_USER:-"jboss"}

#make sure java is in your path
JAVAPTH=${JAVAPTH:-"/usr/local/jdk/bin"}

#configuration to use, usually one of 'minimal', 'default', 'all', 'production'
JBOSS_CONF=${JBOSS_CONF:-"production"}

#if JBOSS_HOST specified, use -b to bind jboss services to that address
JBOSS_BIND_ADDR=${JBOSS_HOST:+"-b $JBOSS_HOST"}

#define the script to use to start jboss
JBOSSSH=${JBOSSSH:-"$JBOSS_HOME/bin/run.sh -c $JBOSS_CONF $JBOSS_BIND_ADDR"}

if [ "$JBOSS_USER" = "RUNASIS" ]; then
  SUBIT=""
else
  SUBIT="su - $JBOSS_USER -c "
fi

if [ -n "$JBOSS_CONSOLE" -a ! -d "$JBOSS_CONSOLE" ]; then
  # ensure the file exists
  touch $JBOSS_CONSOLE
  if [ ! -z "$SUBIT" ]; then
    chown $JBOSS_USER $JBOSS_CONSOLE
  fi 
fi

if [ -n "$JBOSS_CONSOLE" -a ! -f "$JBOSS_CONSOLE" ]; then
  echo "WARNING: location for saving console log invalid: $JBOSS_CONSOLE"
  echo "WARNING: ignoring it and using /dev/null"
  JBOSS_CONSOLE="/dev/null"
fi

#define what will be done with the console log
JBOSS_CONSOLE=${JBOSS_CONSOLE:-"/dev/null"}

JBOSS_CMD_START="cd $JBOSS_HOME/bin; $JBOSSSH"

if [ -z "`echo $PATH | grep $JAVAPTH`" ]; then
  export PATH=$PATH:$JAVAPTH
fi

if [ ! -d "$JBOSS_HOME" ]; then
  echo JBOSS_HOME does not exist as a valid directory : $JBOSS_HOME
  exit 1
fi

echo JBOSS_CMD_START = $JBOSS_CMD_START

function procrunning() {
   procid=0
   JBOSSSCRIPT=$(echo $JBOSSSH | awk '{print $1}' | sed 's/\//\\\//g')
   for procid in `/sbin/pidof -x "$JBOSSSCRIPT"`; do
       ps -fp $procid | grep "${JBOSSSH% *}" > /dev/null && pid=$procid
   done
}


stop() {
    pid=0
    procrunning
    if [ $pid = '0' ]; then
        echo -n -e "\nNo JBossas is currently running\n"
        exit 1
    fi

    RETVAL=1

    # If process is still running

    # First, try to kill it nicely
    for id in `ps --ppid $pid | awk '{print $1}' | grep -v "^PID$"`; do
       if [ -z "$SUBIT" ]; then
           kill -15 $id
       else
           $SUBIT "kill -15 $id"
       fi
    done

    sleep=0
    while [ $sleep -lt 120 -a $RETVAL -eq 1 ]; do
        echo -n -e "\nwaiting for processes to stop";
        sleep 10
        sleep=`expr $sleep + 10`
        pid=0
        procrunning
        if [ $pid == '0' ]; then
            RETVAL=0
        fi
    done

    # Still not dead... kill it

    count=0
    pid=0
    procrunning

    if [ $RETVAL != 0 ] ; then
        echo -e "\nTimeout: Shutdown command was sent, but process is still running with PID $pid"
        exit 1
    fi

    echo
    exit 0
}

case "$1" in
start)
    cd $JBOSS_HOME/bin
    if [ -z "$SUBIT" ]; then
        eval $JBOSS_CMD_START >${JBOSS_CONSOLE} 2>&1 &
    else
        $SUBIT "$JBOSS_CMD_START >${JBOSS_CONSOLE} 2>&1 &" 
    fi
    ;;
stop)
    stop
    ;;
restart)
    $0 stop
    $0 start
    ;;
*)
    echo "usage: $0 (start|stop|restart|help)"
esac
于 2013-11-22T17:15:55.613 回答
0

我解决了这个问题:

执行命令时:

../jboss-5.0.1.GA/bin/shutdown.sh -u admin -p <password>

它在 jmx-invoker-service.xml 中查找“securityDomain”并转到 login-config.xml 以查找匹配项。 securityDomain="java:/jaas/jmx-console"/

login-config.xml 配置如下所示:

<application-policy name="jmx-console">
<authentication>
  <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
    flag="required">
    <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
    <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
    <module-option name="hashAlgorithm">MD5</module-option> 
    <module-option name="hashEncoding">base64</module-option>        
  </login-module>
</authentication>

然后它去 jmx-console-users.properties 找到定义的用户名和密码。

admin=fGoYCzaJagqMAnh+6vsOTA==

属性文件中的密码使用 MD5 加密(明文为“password1”)。

诀窍是我必须使用明文的命令:

喜欢:../jboss-5.0.1.GA/bin/shutdown.sh -u admin -p password1 但我把这个命令放在一个带有 encrpt 密码的脚本中

../jboss-5.0.1.GA/bin/shutdown.sh -u admin -p fGoYCzaJagqMAnh+6vsOTA==

还有两个问题:

1.有没有办法使用加密密码关机?我不想在我的脚本中使用明文密码。2. MD5以外的加密算法有哪些选择?有没有比MD5强的算法?任何人都可以在这方面提供帮助吗?

于 2012-06-18T21:21:44.420 回答
0

echo -n [密码] | openssl dgst -md5 -binary | openssl base64

运行上述脚本以使用 md5 获取加密密码。把它放在 jmx-console-users.properties 和 stopServer.sh

于 2015-02-10T11:47:57.740 回答
0

来自http://docs.oracle.com/javase/1.4.2/docs/guide/security/CryptoSpec.html#AppA

Message Digest Algorithms
The algorithm names in this section can be specified when generating an instance of MessageDigest. 

MD2: The MD2 message digest algorithm as defined in RFC 1319. 

MD5: The MD5 message digest algorithm as defined in RFC 1321. 

SHA-1: The Secure Hash Algorithm, as defined in Secure Hash Standard, 
       NIST FIPS 180-1. 

SHA-256, SHA-384, and SHA-512: New hash algorithms for which the draft Federal
Information Processing Standard 180-2, Secure Hash Standard (SHS) is now available.
SHA-256 is a 256-bit hash function intended to provide 128 bits of security against
collision attacks, while SHA-512 is a 512-bit hash function intended to provide 256
bits of security. A 384-bit hash may be obtained by truncating the SHA-512 output.
于 2012-06-19T20:49:27.940 回答