QPID-1704: remove JMXMP ConnectorServer usage from the brokers JMX management capabilities

merged from trunk r749282


git-svn-id: https://svn.apache.org/repos/asf/qpid/branches/0.5-fix@764461 13f79535-47bb-0310-9956-ffa450edef68

5 files changed, 123 insertions, 165 deletions

diff --git a/qpid/java/broker/etc/config.xml b/qpid/java/broker/etc/config.xml
index b2b3625cca..e0045c1e74 100644
--- a/qpid/java/broker/etc/config.xml
+++ b/qpid/java/broker/etc/config.xml
@@ -45,7 +45,6 @@
     <management>
         <enabled>true</enabled>
         <jmxport>8999</jmxport>
-        <security-enabled>false</security-enabled>
         <ssl>
             <enabled>true</enabled>
             <!-- Update below path to your keystore location, eg ${conf}/qpid.keystore  -->
diff --git a/qpid/java/broker/etc/persistent_config.xml b/qpid/java/broker/etc/persistent_config.xml
index ed2c2cab1f..67ef28117d 100644
--- a/qpid/java/broker/etc/persistent_config.xml
+++ b/qpid/java/broker/etc/persistent_config.xml
@@ -37,7 +37,6 @@
     <management>
         <enabled>true</enabled>
         <jmxport>8999</jmxport>
-        <security-enabled>false</security-enabled>
         <ssl>
             <enabled>true</enabled>
             <!-- Update below path to your keystore location, eg ${conf}/qpid.keystore  -->
diff --git a/qpid/java/broker/etc/transient_config.xml b/qpid/java/broker/etc/transient_config.xml
index 19ffeb9720..a21afe7d21 100644
--- a/qpid/java/broker/etc/transient_config.xml
+++ b/qpid/java/broker/etc/transient_config.xml
@@ -37,7 +37,6 @@
     <management>
         <enabled>true</enabled>
         <jmxport>8999</jmxport>
-        <security-enabled>false</security-enabled>
         <ssl>
             <enabled>true</enabled>
             <!-- Update below path to your keystore location, eg ${conf}/qpid.keystore  -->
diff --git a/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java b/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
index 62876c443c..0db2fc6d75 100644
--- a/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
+++ b/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
@@ -304,11 +304,6 @@ public class ServerConfiguration implements SignalHandler
         return _config.getInt("advanced.framesize", DEFAULT_FRAME_SIZE);
     }
 
-    public boolean getManagementSecurityEnabled()
-    {
-        return _config.getBoolean("management.security-enabled", false);
-    }
-
     public boolean getProtectIOEnabled()
     {
         return _config.getBoolean("broker.connector.protectio.enabled", false);
diff --git a/qpid/java/broker/src/main/java/org/apache/qpid/server/management/JMXManagedObjectRegistry.java b/qpid/java/broker/src/main/java/org/apache/qpid/server/management/JMXManagedObjectRegistry.java
index aea2f9d872..f02e858250 100644
--- a/qpid/java/broker/src/main/java/org/apache/qpid/server/management/JMXManagedObjectRegistry.java
+++ b/qpid/java/broker/src/main/java/org/apache/qpid/server/management/JMXManagedObjectRegistry.java
@@ -107,8 +107,6 @@ public class JMXManagedObjectRegistry implements ManagedObjectRegistry
         }
 
         IApplicationRegistry appRegistry = ApplicationRegistry.getInstance();
-
-        boolean jmxmpSecurity = appRegistry.getConfiguration().getManagementSecurityEnabled();
         int port = appRegistry.getConfiguration().getJMXManagementPort();
 
         //retrieve the Principal Database assigned to JMX authentication duties
@@ -119,184 +117,152 @@ public class JMXManagedObjectRegistry implements ManagedObjectRegistry
         final JMXConnectorServer cs;
         HashMap<String,Object> env = new HashMap<String,Object>();
 
-        if (jmxmpSecurity)
+        //Socket factories for the RMIConnectorServer, either default or SLL depending on configuration
+        RMIClientSocketFactory csf;
+        RMIServerSocketFactory ssf;
+
+        //check ssl enabled option in config, default to true if option is not set
+        boolean sslEnabled = appRegistry.getConfiguration().getManagementSSLEnabled();
+
+        if (sslEnabled)
         {
-            // For SASL using JMXMP
-            JMXServiceURL jmxURL = new JMXServiceURL("jmxmp", null, port);
+            //set the SSL related system properties used by the SSL RMI socket factories to the values
+            //given in the configuration file, unless command line settings have already been specified
+            String keyStorePath;
 
-            String saslType = null;
-            if (db instanceof Base64MD5PasswordFilePrincipalDatabase)
+            if(System.getProperty("javax.net.ssl.keyStore") != null)
             {
-                saslType = "SASL/CRAM-MD5";
-                env.put("jmx.remote.profiles", "SASL/CRAM-MD5");
-                CRAMMD5HashedInitialiser initialiser = new CRAMMD5HashedInitialiser();
-                initialiser.initialise(db);
-                env.put("jmx.remote.sasl.callback.handler", initialiser.getCallbackHandler());
+                keyStorePath = System.getProperty("javax.net.ssl.keyStore");
             }
-            else if (db instanceof PlainPasswordFilePrincipalDatabase)
+            else
             {
-                saslType = "SASL/PLAIN";
-                PlainInitialiser initialiser = new PlainInitialiser();
-                initialiser.initialise(db);
-                env.put("jmx.remote.sasl.callback.handler", initialiser.getCallbackHandler());
-                env.put("jmx.remote.profiles", "SASL/PLAIN");
+                keyStorePath = appRegistry.getConfiguration().getManagementKeyStorePath();
             }
 
-            //workaround NPE generated from env map classloader issue when using Eclipse 3.4 to launch
-            env.put("jmx.remote.profile.provider.class.loader", this.getClass().getClassLoader());
-
-            _log.warn("Starting JMXMP based JMX ConnectorServer on port '" + port + "' with " + saslType);
-            _startupLog.warn("Starting JMXMP based JMX ConnectorServer on port '" + port + "' with " + saslType);
-            
-            cs = JMXConnectorServerFactory.newJMXConnectorServer(jmxURL, env, _mbeanServer);
-        }
-        else
-        {   
-            //Socket factories for the RMIConnectorServer, either default or SLL depending on configuration
-            RMIClientSocketFactory csf;
-            RMIServerSocketFactory ssf;
-            
-            //check ssl enabled option in config, default to true if option is not set
-            boolean sslEnabled = appRegistry.getConfiguration().getManagementSSLEnabled();
-
-            if (sslEnabled)
+            //check the keystore path value is valid
+            if (keyStorePath == null)
             {
-                //set the SSL related system properties used by the SSL RMI socket factories to the values
-                //given in the configuration file, unless command line settings have already been specified
-                String keyStorePath;
-                
-                if(System.getProperty("javax.net.ssl.keyStore") != null)
+                throw new ConfigurationException("JMX management SSL keystore path not defined, " +
+                    		                     "unable to start SSL protected JMX ConnectorServer");
+            }
+            else
+            {
+                //ensure the system property is set
+                System.setProperty("javax.net.ssl.keyStore", keyStorePath);
+
+                //check the file is usable
+                File ksf = new File(keyStorePath);
+
+                if (!ksf.exists())
                 {
-                    keyStorePath = System.getProperty("javax.net.ssl.keyStore");
+                    throw new FileNotFoundException("Cannot find JMX management SSL keystore file " + ksf);
                 }
-                else{
-                    keyStorePath = appRegistry.getConfiguration().getManagementKeyStorePath();
+                if (!ksf.canRead())
+                {
+                    throw new FileNotFoundException("Cannot read JMX management SSL keystore file: " 
+                                                    + ksf +  ". Check permissions.");
                 }
                 
-                //check the keystore path value is valid
-                if (keyStorePath == null)
+                _log.info("JMX ConnectorServer using SSL keystore file " + ksf.getAbsolutePath());
+                _startupLog.info("JMX ConnectorServer using SSL keystore file " + ksf.getAbsolutePath());
+            }
+
+            //check the key store password is set
+            if (System.getProperty("javax.net.ssl.keyStorePassword") == null)
+            {
+
+                if (appRegistry.getConfiguration().getManagementKeyStorePassword() == null)
                 {
-                    throw new ConfigurationException("JMX management SSL keystore path not defined, " +
-                    		                         "unable to start SSL protected JMX ConnectorServer");
+                    throw new ConfigurationException("JMX management SSL keystore password not defined, " +
+                      		                         "unable to start requested SSL protected JMX server");
                 }
                 else
                 {
-                    //ensure the system property is set
-                    System.setProperty("javax.net.ssl.keyStore", keyStorePath);
-                    
-                    //check the file is usable
-                    File ksf = new File(keyStorePath);
-                    
-                    if (!ksf.exists())
-                    {
-                        throw new FileNotFoundException("Cannot find JMX management SSL keystore file " + ksf);
-                    }
-                    if (!ksf.canRead())
-                    {
-                        throw new FileNotFoundException("Cannot read JMX management SSL keystore file: " 
-                                                        + ksf +  ". Check permissions.");
-                    }
-                    
-                    _log.info("JMX ConnectorServer using SSL keystore file " + ksf.getAbsolutePath());
-                    _startupLog.info("JMX ConnectorServer using SSL keystore file " + ksf.getAbsolutePath());
+                   System.setProperty("javax.net.ssl.keyStorePassword",
+                           appRegistry.getConfiguration().getManagementKeyStorePassword());
                 }
+            }
 
-                //check the key store password is set
-                if (System.getProperty("javax.net.ssl.keyStorePassword") == null)
-                {
-                
-                    if (appRegistry.getConfiguration().getManagementKeyStorePassword() == null)
-                    {
-                        throw new ConfigurationException("JMX management SSL keystore password not defined, " +
-                        		                         "unable to start requested SSL protected JMX server");
-                    }
-                    else
-                    {
-                        System.setProperty("javax.net.ssl.keyStorePassword",
-                                appRegistry.getConfiguration().getManagementKeyStorePassword());
-                    }
-                }
+            //create the SSL RMI socket factories
+            csf = new SslRMIClientSocketFactory();
+            ssf = new SslRMIServerSocketFactory();
 
-                //create the SSL RMI socket factories
-                csf = new SslRMIClientSocketFactory();
-                ssf = new SslRMIServerSocketFactory();
+            _log.warn("Starting JMX ConnectorServer on port '"+ port + "' (+" + 
+                     (port +PORT_EXPORT_OFFSET) + ") with SSL");
+            _startupLog.warn("Starting JMX ConnectorServer on port '"+ port + "' (+" + 
+                     (port +PORT_EXPORT_OFFSET) + ") with SSL");
+        }
+        else
+        {
+            //Do not specify any specific RMI socket factories, resulting in use of the defaults.
+            csf = null;
+            ssf = null;
 
-                _log.warn("Starting JMX ConnectorServer on port '"+ port + "' (+" + 
-                        (port +PORT_EXPORT_OFFSET) + ") with SSL");
-                _startupLog.warn("Starting JMX ConnectorServer on port '"+ port + "' (+" + 
-                        (port +PORT_EXPORT_OFFSET) + ") with SSL");
-            }
-            else
-            {
-                //Do not specify any specific RMI socket factories, resulting in use of the defaults.
-                csf = null;
-                ssf = null;
-                
-                _log.warn("Starting JMX ConnectorServer on port '" + port + "' (+" + (port +PORT_EXPORT_OFFSET) + ")");
-                _startupLog.warn("Starting JMX ConnectorServer on port '" + port + "' (+" + (port +PORT_EXPORT_OFFSET) + ")");
-            }
-            
-            //add a JMXAuthenticator implementation the env map to authenticate the RMI based JMX connector server
-            RMIPasswordAuthenticator rmipa = new RMIPasswordAuthenticator();
-            rmipa.setPrincipalDatabase(db);
-            env.put(JMXConnectorServer.AUTHENTICATOR, rmipa);
-            
-            /*
-             * Start a RMI registry on the management port, to hold the JMX RMI ConnectorServer stub. 
-             * Using custom socket factory to prevent anyone (including us unfortunately) binding to the registry using RMI.
-             * As a result, only binds made using the object reference will succeed, thus securing it from external change. 
-             */
-            System.setProperty("java.rmi.server.randomIDs", "true");
-            _rmiRegistry = LocateRegistry.createRegistry(port, null, new CustomRMIServerSocketFactory());
-            
-            /*
-             * We must now create the RMI ConnectorServer manually, as the JMX Factory methods use RMI calls 
-             * to bind the ConnectorServer to the registry, which will now fail as for security we have
-             * locked it from any RMI based modifications, including our own. Instead, we will manually bind 
-             * the RMIConnectorServer stub to the registry using its object reference, which will still succeed.
-             * 
-             * The registry is exported on the defined management port 'port'. We will export the RMIConnectorServer
-             * on 'port +1'. Use of these two well-defined ports will ease any navigation through firewall's. 
-             */
-            final RMIServerImpl rmiConnectorServerStub = new RMIJRMPServerImpl(port+PORT_EXPORT_OFFSET, csf, ssf, env); 
-            final String hostname = InetAddress.getLocalHost().getHostName();
-            final JMXServiceURL externalUrl = new JMXServiceURL(
-                    "service:jmx:rmi://"+hostname+":"+(port+PORT_EXPORT_OFFSET)+"/jndi/rmi://"+hostname+":"+port+"/jmxrmi");
-
-            final JMXServiceURL internalUrl = new JMXServiceURL("rmi", hostname, port+PORT_EXPORT_OFFSET);
-            cs = new RMIConnectorServer(internalUrl, env, rmiConnectorServerStub, _mbeanServer)
+            _log.warn("Starting JMX ConnectorServer on port '" + port + "' (+" + (port +PORT_EXPORT_OFFSET) + ")");
+            _startupLog.warn("Starting JMX ConnectorServer on port '" + port + "' (+" + (port +PORT_EXPORT_OFFSET) + ")");
+        }
+
+        //add a JMXAuthenticator implementation the env map to authenticate the RMI based JMX connector server
+        RMIPasswordAuthenticator rmipa = new RMIPasswordAuthenticator();
+        rmipa.setPrincipalDatabase(db);
+        env.put(JMXConnectorServer.AUTHENTICATOR, rmipa);
+
+        /*
+         * Start a RMI registry on the management port, to hold the JMX RMI ConnectorServer stub. 
+         * Using custom socket factory to prevent anyone (including us unfortunately) binding to the registry using RMI.
+         * As a result, only binds made using the object reference will succeed, thus securing it from external change. 
+         */
+        System.setProperty("java.rmi.server.randomIDs", "true");
+        _rmiRegistry = LocateRegistry.createRegistry(port, null, new CustomRMIServerSocketFactory());
+
+        /*
+         * We must now create the RMI ConnectorServer manually, as the JMX Factory methods use RMI calls 
+         * to bind the ConnectorServer to the registry, which will now fail as for security we have
+         * locked it from any RMI based modifications, including our own. Instead, we will manually bind 
+         * the RMIConnectorServer stub to the registry using its object reference, which will still succeed.
+         * 
+         * The registry is exported on the defined management port 'port'. We will export the RMIConnectorServer
+         * on 'port +1'. Use of these two well-defined ports will ease any navigation through firewall's. 
+         */
+        final RMIServerImpl rmiConnectorServerStub = new RMIJRMPServerImpl(port+PORT_EXPORT_OFFSET, csf, ssf, env); 
+        final String hostname = InetAddress.getLocalHost().getHostName();
+        final JMXServiceURL externalUrl = new JMXServiceURL(
+                "service:jmx:rmi://"+hostname+":"+(port+PORT_EXPORT_OFFSET)+"/jndi/rmi://"+hostname+":"+port+"/jmxrmi");
+
+        final JMXServiceURL internalUrl = new JMXServiceURL("rmi", hostname, port+PORT_EXPORT_OFFSET);
+        cs = new RMIConnectorServer(internalUrl, env, rmiConnectorServerStub, _mbeanServer)
+        {   
+            @Override  
+            public synchronized void start() throws IOException
             {   
-                @Override  
-                public synchronized void start() throws IOException
+                try
                 {   
-                    try
-                    {   
-                        //manually bind the connector server to the registry at key 'jmxrmi', like the out-of-the-box agent                        
-                        _rmiRegistry.bind("jmxrmi", rmiConnectorServerStub);   
-                    }
-                    catch (AlreadyBoundException abe)
-                    {   
-                        //key was already in use. shouldnt happen here as its a new registry, unbindable by normal means.
-                        
-                        //IOExceptions are the only checked type throwable by the method, wrap and rethrow
-                        IOException ioe = new IOException(abe.getMessage());   
-                        ioe.initCause(abe);   
-                        throw ioe;   
-                    }
-                    
-                    //now do the normal tasks
-                    super.start();   
-                }   
-                
-                @Override  
-                public JMXServiceURL getAddress()
-                {
-                    //must return our pre-crafted url that includes the full details, inc JNDI details
-                    return externalUrl;
-                }   
+                    //manually bind the connector server to the registry at key 'jmxrmi', like the out-of-the-box agent                        
+                    _rmiRegistry.bind("jmxrmi", rmiConnectorServerStub);   
+                }
+                catch (AlreadyBoundException abe)
+                {   
+                    //key was already in use. shouldnt happen here as its a new registry, unbindable by normal means.
 
-            };   
-        }
+                    //IOExceptions are the only checked type throwable by the method, wrap and rethrow
+                    IOException ioe = new IOException(abe.getMessage());   
+                    ioe.initCause(abe);   
+                    throw ioe;   
+                }
+
+                //now do the normal tasks
+                super.start();   
+            }   
+
+            @Override  
+            public JMXServiceURL getAddress()
+            {
+                //must return our pre-crafted url that includes the full details, inc JNDI details
+                return externalUrl;
+            }   
+
+        };   
+        
 
         //Add the custom invoker as an MBeanServerForwarder, and start the RMIConnectorServer.
         MBeanServerForwarder mbsf = MBeanInvocationHandlerImpl.newProxyInstance();