From c1405673acad68e2233b152fec84409b0af36994 Mon Sep 17 00:00:00 2001
From: lutoff <lutoff@localhost>
Date: Thu, 12 Jul 2007 08:18:55 +0000
Subject: [PATCH] fix for issue #1217 Privilege checks are done in the JmxClientConnection code. Due to JMX design choice (See chapter 13.4.3,page 210 of the JMX Specification, version 1.4 Final Release - http://jcp.org/en/jsr/detail?id=160) JMX_NOTIFY privilege cannot be checked when a remote client adds a Listener. For this reason, we have chosen to allow JMX connection only if the user has the JMX_READ privilege (at least). The JMX_READ privilege is now also check during connection establishment.

---
 opends/src/server/org/opends/server/protocols/jmx/RmiAuthenticator.java |   20 +++++++++++++++++++-
 1 files changed, 19 insertions(+), 1 deletions(-)

diff --git a/opends/src/server/org/opends/server/protocols/jmx/RmiAuthenticator.java b/opends/src/server/org/opends/server/protocols/jmx/RmiAuthenticator.java
index 47bb286..1fcd21f 100644
--- a/opends/src/server/org/opends/server/protocols/jmx/RmiAuthenticator.java
+++ b/opends/src/server/org/opends/server/protocols/jmx/RmiAuthenticator.java
@@ -39,12 +39,17 @@
 import org.opends.server.protocols.asn1.ASN1OctetString;
 import org.opends.server.protocols.ldap.LDAPResultCode;
 import org.opends.server.types.Control;
+import org.opends.server.types.DisconnectReason;
+import org.opends.server.types.Privilege;
 import org.opends.server.types.ResultCode;
 import org.opends.server.types.DN;
 import org.opends.server.types.AuthenticationInfo;
 import org.opends.server.types.LDAPException;
 
 import static org.opends.server.loggers.debug.DebugLogger.*;
+import static org.opends.server.messages.MessageHandler.getMessage;
+import static org.opends.server.messages.ProtocolMessages.*;
+
 import org.opends.server.loggers.debug.DebugTracer;
 import org.opends.server.types.DebugLogLevel;
 
@@ -183,7 +188,7 @@
       {
         TRACER.debugCaught(DebugLogLevel.ERROR, e);
       }
-      SecurityException se = new SecurityException();
+      SecurityException se = new SecurityException(e.getMessage());
       se.initCause(e);
       throw se;
     }
@@ -277,6 +282,19 @@
 
       authInfo = bindOp.getAuthenticationInfo();
       jmxClientConnection.setAuthenticationInfo(authInfo);
+
+      // Check JMX_READ privilege.
+      if (! jmxClientConnection.hasPrivilege(Privilege.JMX_READ, null))
+      {
+        int msgID = MSGID_JMX_INSUFFICIENT_PRIVILEGES;
+        String message = getMessage(msgID);
+
+        jmxClientConnection.disconnect(DisconnectReason.CONNECTION_REJECTED,
+            false, msgID);
+
+        SecurityException se = new SecurityException(message);
+        throw se;
+      }
       return jmxClientConnection;
     }
     else

--
Gitblit v1.10.0