Security patterns: Forcing disconnection

**rsouissi** · July 15th, 2007, 08:20 PM

Hi,

Do you mind explaining in java code how option 3 (in process jmx invoke) works inside the meta adapter for instance ?
I asked a while ago in the forums how within the meta adapter notifyUser() function I can get the remoteIP and UserAgent and it seems SessionMBean does it.

Thanks
A

**DarioCrivelli** · July 16th, 2007, 03:03 PM

Hi

assuming you asked for an example based on JMX (i.e. option 2), we show you a code snippet that, added to the Metadata Adapter code, listens to the notifications for session initiation and termination and causes each session to be closed after it has lived longer than five minutes.

There are several ways to access Lightstreamer MBeans server from the Metadata Adapter.
We use the simplest one, which takes advantage of the fact that Lightstreamer Server loads all the Adapters in its main ClassLoader;
so we access the MBeans server via static references, through the MBeanServerFactory.findMBeanServer method.

private final Set currSessions = new HashSet(); 
 private final Timer timer = new Timer(); 
 private final long expiryTime = 5 * 60 * 1000; 
 
 private final MBeanServer server; 
 { 
 ObjectName serverMBeanName = null; 
 try { 
 serverMBeanName = new ObjectName("com.lightstreamer", "type", "Server"); 
 // this MBean is always defined by Lightstreamer MBean server; 
 // we use it as a mean to identify Lightstreamer MBean server 
 } catch (MalformedObjectNameException e1) { 
 // TODO 
 } 
 
 if (serverMBeanName != null) { 
 ArrayList servers = MBeanServerFactory.findMBeanServer(null); 
 MBeanServer found = null; 
 for (int i = 0; i < servers.size(); i++) { 
 found = (MBeanServer) servers.get(i); 
 if (found.isRegistered(serverMBeanName)) { 
 break; 
 } else { 
 found = null; 
 } 
 } 
 if (found == null) { 
 // TODO 
 } 
 server = found; 
 } else { 
 server = null; 
 } 
 } 
 
 public void notifyNewSession(String user, final String session) throws CreditsException, NotificationException { 
 synchronized (currSessions) { 
 currSessions.add(session); 
 } 
 timer.schedule(new TimerTask() { 
 public void run() { 
 synchronized (currSessions) { 
 if (! currSessions.contains(session)) { 
 return; 
 } 
 } 
 killSession(session); 
 // this also causes notifySessionClose to be called 
 } 
 }, expiryTime); 
 } 
 
 public void notifySessionClose(String session) throws NotificationException { 
 synchronized (currSessions) { 
 currSessions.remove(session); 
 } 
 } 
 
 private void killSession(String session) { 
 if (server == null) { 
 // TODO 
 return; 
 } 
 ObjectName sessionMBeanName = null; 
 Hashtable props = new Hashtable(); 
 props.put("type", "Session"); 
 props.put("sessionId", session); 
 try { 
 sessionMBeanName = new ObjectName("com.lightstreamer", props); 
 } catch (MalformedObjectNameException e1) { 
 // TODO 
 return; 
 } 
 
 Object ret; 
 try { 
 ret = server.invoke(sessionMBeanName, "destroySession", null, null); 
 } catch (InstanceNotFoundException e) { 
 // it is still possible that the session has just ended 
 return; 
 } catch (MBeanException e) { 
 // TODO 
 return; 
 } catch (ReflectionException e) { 
 // TODO 
 return; 
 } 
 
 if (((Boolean) ret).booleanValue() == false) { 
 // it is still possible that the session has just ended 
 return; 
 } 
 }

Old note (until Web Client Library version 4.2.1)

Note that this closure strategy is entirely server-side and the client receives no notice of the closure reason.
The client only sees an unexpected closure.
This means that, if the client is a web page based on the Web Client Library, the client will enter stalled state and, eventually, an attempt to create a new session will be performed.
In this sense, option 3 may be preferrable to both 1 and 2.

New note (since Web Client Library version 4.2.2)

Note that, in case a session is forcibly closed by the Server, the Web Client Library enters in "DISCONNECTED" state and does not try to recover the session; it just notifies application code through the "onServerError" event handler, with proper error codes.

About getting extended information on the sessions by taking advantage of the JMX interface:
Old note (for LS Server up to and including 3.6)

It has to be considered that many of the SessionMBean methods (and getUserAgent in particular) have not been implemented yet.
This is not reported in the MBeanInfo interface, but is shown in the javadoc-style interface description.

New note (for LS Server 4.0 and later, still to be released at time of writing)

All the information available on the SessionMBean is reported in the javadoc-style interface description.
Note that the same information is available dynamically through the MBeanInfo interface.

Dario

**churrusco** · July 16th, 2007, 03:21 PM

Thanks Dario.

The MBean strategy works perfectly for us.

The reason why we want to kill the user session is not really related with having multiple sessions (I guess to solve this overwrite the newSession callback method in the adapter is more than enough) but with security. Our system has a built-in hard session expiry mechanism to prevent malicious session handling attacks.

Having the JMX possibility is enough for us. Btw, is the JMX server secured? Because if it stores the session as it seems I guess that you can obtain plenty of useful information from it.

Regards,
Martin

**DarioCrivelli** · July 17th, 2007, 08:20 AM

Hi Martin

may you please clarify your security concerns?
We aim to guarantee security against external hosts. The JMX interface is exposed through some configurable ports, which can be hidden by the firewall and this should be enough.
However, at the moment, we don't protect the Server (and, in particular, its JMX interface) against its own Adapters. We consider the Server and all configured Adapters as "friends". In fact, they all lie in the same ClassLoader.

Dario

**churrusco** · July 17th, 2007, 09:21 AM

Hi Dario.

The problem is not the adapter but an attacker from outside that box, even within the green zone. You can enable some firewall rules to protect you from external attackers but within your intranet probably your sysadmins will want to be able to use the JMX console wherever they are.

As far as I know, there is no authentication for the JMX RMI interface so anyone that is in the intranet can open a JMX console and kill other user's sessions. Correct me if I'm wrong as I haven't tried it so it is only speculation.

Anyways, not a big issue for as and I suppose it could be an improvement.

**DarioCrivelli** · July 18th, 2007, 09:54 AM

Hi Martin,

Indeed, such a protection in the JMX access is lacking.
The extension is in our roadmap, but no time references have been set yet.

Dario

**churrusco** · July 23rd, 2007, 12:14 PM

Thanks Dario,

that's good to know.

Is there any reason why Lighstreamer is using its own JMX server implementation instead of using the JDK Platform MBean Server?

Martin