JMX安全漏洞修复 服务端增加用户名和密码验证机制

-Djmx.authenticate=true -Djmx.password=$base/conf/jmxremote.password -Djmx.access=$base/conf/jmxremote.access

前提是继承 extends ConnectorServerFactoryBean类
配置文件增加属性：
  # 是否启用JMX
  jmx.authenticate = true
  # jmxremote.access文件路径
  jmxremote.access.path = ${user.dir}/../conf/jmxremote.access
  # jmxremote.password文件路径
  jmxremote.password.path = ${user.dir}/../conf/jmxremote.password
private void setJMXParameter() {
        if ("true".equalsIgnoreCase(jmxAuthenticate)) {
            Properties prop = new Properties();
            prop.put("jmx.remote.x.password.file", jmxPassword);
            prop.put("jmx.remote.x.access.file", jmxUsername);
            prop.put("jmx.remote.x.mlet.allow.getMBeansFromURL", false);
            setEnvironment(prop);
        }
    }

package com.tongtech.remote.impl;
import javax.management.MBeanServer;
import javax.management.ObjectName;
import javax.management.remote.*;
import javax.management.remote.rmi.RMIConnectorServer;
import javax.security.auth.Subject;
import java.lang.management.ManagementFactory;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import java.rmi.server.RMISocketFactory;
import java.util.*;
/**
 * @Auther: zhaoshuangjian  2023-04-25 10:07 PM
 */
public class UserJmxServer {
    public static void main(String[] args){
//        MBeanServer mBeanServer;
//        User bean=new User();
        try {
            MBeanServer mBeanServer = ManagementFactory.getPlatformMBeanServer(); //向MBeanServer注册mbean
            ObjectName objectName = new ObjectName("user:name=User");
            mBeanServer.registerMBean(new User(), objectName);
            JMXServiceURL jmxServiceURL = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://localhost:1099/user");
            System.out.println("JMXServiceURL: " + jmxServiceURL.toString());
            Map<String ,Object> jmxEnv=new HashMap<String,Object>();
            RMISocketFactory rmiFactory = RMISocketFactory.getDefaultSocketFactory();
            Registry registry = LocateRegistry.createRegistry(1099,null, rmiFactory); //构造 JMXServiceURL
            jmxEnv.put("jmx.remote.credentials", new String[]{"admin","admin123"});
            jmxEnv.put(RMIConnectorServer.RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE, rmiFactory);
            JMXAuthenticator auth = createJMXAuthenticator();
            jmxEnv.put(JMXConnectorServer.AUTHENTICATOR, auth);
            jmxEnv.put("jmx.remote.x.mlet.allow.getMBeansFromURL","false");
            JMXConnectorServer jmxConnectorServer = JMXConnectorServerFactory.newJMXConnectorServer(jmxServiceURL, jmxEnv, mBeanServer);
            jmxConnectorServer.start();
            System.out.println("JMXConnectorServer is running");
//            int rmiPort = 6090;
//            Registry registry = LocateRegistry.createRegistry(rmiPort);
//            mBeanServer = MBeanServerFactory.createMBeanServer("user");
//
//            ObjectName objectName = new ObjectName("user:name=User");
//            mBeanServer.registerMBean(bean, objectName);
//
//            JMXServiceURL url = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://localhost:6090/mbean");
//            System.out.println("JMXServiceURL: " + url.toString());
//            Map<String ,Object> jmxEnv=new HashMap<String,Object>();
//            jmxEnv.put("jmx.remote.credentials", new String[]{"admin","admin123"});
//            JMXAuthenticator auth = createJMXAuthenticator();
//            jmxEnv.put(JMXConnectorServer.AUTHENTICATOR, auth);
            jmxEnv.put("jmx.remote.x.mlet.allow.getMBeansFromURL","false");
//            JMXConnectorServer jmxConnServer = JMXConnectorServerFactory.newJMXConnectorServer(url, jmxEnv, mBeanServer);
//            jmxConnServer.start();
        }catch (Exception e){
            e.printStackTrace();
        }
    }
    /**
     *  认证
     * @return
     */
    private static JMXAuthenticator createJMXAuthenticator(){
        return new JMXAuthenticator()
        {
            public Subject authenticate(Object credentials) {
                String[] sCredentials = (String[]) credentials;
                if (null == sCredentials || sCredentials.length != 2) {
                    throw new SecurityException("Authentication failed!");
                }
                String userName = sCredentials[0];
                String pValue = sCredentials[1];
                if ("admin".equals(userName) && "admin123".equals(pValue)) {
                    Set<JMXPrincipal> principals = new HashSet<JMXPrincipal>();
                    principals.add(new JMXPrincipal(userName));
                    System.out.println("认证成功");
                    return new Subject(true, principals, Collections.EMPTY_SET, Collections.EMPTY_SET);
                }
                throw new SecurityException("Authentication failed!");
            }
        };
    }
}
package com.tongtech.remote.impl;
/**
 * @Auther: zhaoshuangjian  2023-04-25 10:05 PM
 */
public interface JMXUserMBean {
    Long getUserId();
    String getUserName();
    String getPassWord();
    void setUserId(Long userId);
    void setUserName(String userName);
}
package com.tongtech.remote.impl;
/**
 * @Auther: zhaoshuangjian  2023-04-25 10:06 PM
 */
public class User implements JMXUserMBean {
    Long userId = 12345678L;
    String userName = "jvm-user";
    @Override
    public Long getUserId() {
        return userId;
    }
    @Override
    public String getUserName() {
        return userName;
    }
    @Override
    public void setUserId(Long userId) {
        this.userId = userId;
    }
    @Override
    public void setUserName(String userName) {
        this.userName = userName;
    }
}