From 34646aad9cee63b831432540d446ad2ee453a45d Mon Sep 17 00:00:00 2001
From: lutoff <lutoff@localhost>
Date: Thu, 12 Jul 2007 08:18:55 +0000
Subject: [PATCH] fix for issue #1217 Privilege checks are done in the JmxClientConnection code. Due to JMX design choice (See chapter 13.4.3,page 210 of the JMX Specification, version 1.4 Final Release - http://jcp.org/en/jsr/detail?id=160) JMX_NOTIFY privilege cannot be checked when a remote client adds a Listener. For this reason, we have chosen to allow JMX connection only if the user has the JMX_READ privilege (at least). The JMX_READ privilege is now also check during connection establishment.

---
 opendj-sdk/opends/src/server/org/opends/server/messages/ProtocolMessages.java |   69 ++++++++++++++++++++++++++++++++++
 1 files changed, 68 insertions(+), 1 deletions(-)

diff --git a/opendj-sdk/opends/src/server/org/opends/server/messages/ProtocolMessages.java b/opendj-sdk/opends/src/server/org/opends/server/messages/ProtocolMessages.java
index 3d93db9..632fdc2 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/messages/ProtocolMessages.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/messages/ProtocolMessages.java
@@ -4678,6 +4678,56 @@
   public static final int MSGID_JMX_CONNHANDLER_CANNOT_BIND =
        CATEGORY_MASK_PROTOCOL | SEVERITY_MASK_SEVERE_ERROR | 433;
 
+  /**
+   * The message ID for the message that will be used if an attempt is made to
+   * perform an add operation through JMX but the user doesn't
+   * have the necessary privileges to do so.  This does not take any arguments.
+   */
+  public static final int MSGID_JMX_ADD_INSUFFICIENT_PRIVILEGES =
+    CATEGORY_MASK_PROTOCOL | SEVERITY_MASK_MILD_ERROR | 434;
+
+  /**
+   * The message ID for the message that will be used if an attempt is made to
+   * perform a delete operation through JMX but the user doesn't
+   * have the necessary privileges to do so.  This does not take any arguments.
+   */
+  public static final int MSGID_JMX_DELETE_INSUFFICIENT_PRIVILEGES =
+    CATEGORY_MASK_PROTOCOL | SEVERITY_MASK_MILD_ERROR | 435;
+
+  /**
+   * The message ID for the message that will be used if an attempt is made to
+   * perform a modify operation through JMX but the user doesn't
+   * have the necessary privileges to do so.  This does not take any arguments.
+   */
+  public static final int MSGID_JMX_MODIFY_INSUFFICIENT_PRIVILEGES =
+    CATEGORY_MASK_PROTOCOL | SEVERITY_MASK_MILD_ERROR | 436;
+
+
+  /**
+   * The message ID for the message that will be used if an attempt is made to
+   * perform a modify DN operation through JMX but the user
+   * doesn't have the necessary privileges to do so.  This does not take any
+   * arguments.
+   */
+  public static final int MSGID_JMX_MODDN_INSUFFICIENT_PRIVILEGES =
+    CATEGORY_MASK_PROTOCOL | SEVERITY_MASK_MILD_ERROR | 437;
+
+
+  /**
+   * The message ID for the message that will be used if an attempt is made to
+   * perform a search operation in the server configuration but the user doesn't
+   * have the necessary privileges to do so.  This does not take any arguments.
+   */
+  public static final int MSGID_JMX_SEARCH_INSUFFICIENT_PRIVILEGES =
+    CATEGORY_MASK_PROTOCOL | SEVERITY_MASK_MILD_ERROR | 438;
+
+  /**
+   * The message ID for the message that will be used if an attempt is made to
+   * perform a search operation in the server configuration but the user doesn't
+   * have the necessary privileges to do so.  This does not take any arguments.
+   */
+  public static final int MSGID_JMX_INSUFFICIENT_PRIVILEGES =
+    CATEGORY_MASK_PROTOCOL | SEVERITY_MASK_MILD_ERROR | 439;
 
 
   /**
@@ -6505,7 +6555,24 @@
             ATTR_KEYMANAGER_DN + " attribute in configuration " +
             "entry %s, which is used to specify the DN of the key manager " +
             "provider to use for accepting SSL/TSL connections:  %s");
-
+    registerMessage(MSGID_JMX_ADD_INSUFFICIENT_PRIVILEGES,
+            "You do not have sufficient privileges to perform add " +
+            "operations through JMX");
+    registerMessage(MSGID_JMX_DELETE_INSUFFICIENT_PRIVILEGES,
+            "You do not have sufficient privileges to perform delete " +
+            "operations through JMX");
+    registerMessage(MSGID_JMX_MODIFY_INSUFFICIENT_PRIVILEGES,
+            "You do not have sufficient privileges to perform modify " +
+             "operations through JMX");
+    registerMessage(MSGID_JMX_MODDN_INSUFFICIENT_PRIVILEGES,
+            "You do not have sufficient privileges to perform modify " +
+            "DN operations through JMX");
+    registerMessage(MSGID_JMX_SEARCH_INSUFFICIENT_PRIVILEGES,
+            "You do not have sufficient privileges to perform search " +
+            "operations through JMX");
+    registerMessage(MSGID_JMX_INSUFFICIENT_PRIVILEGES,
+            "You do not have sufficient privileges to establish the " +
+            "connection through JMX. At least JMX_READ privilege is required");
 
     registerMessage(MSGID_PWPOLICYREQ_CONTROL_HAS_VALUE,
                     "Cannot decode the provided control as a password policy " +

--
Gitblit v1.10.0