Security patterns: Forcing disconnection

**churrusco** · July 16th, 2007, 03:21 PM

Thanks Dario.

The MBean strategy works perfectly for us.

The reason why we want to kill the user session is not really related with having multiple sessions (I guess to solve this overwrite the newSession callback method in the adapter is more than enough) but with security. Our system has a built-in hard session expiry mechanism to prevent malicious session handling attacks.

Having the JMX possibility is enough for us. Btw, is the JMX server secured? Because if it stores the session as it seems I guess that you can obtain plenty of useful information from it.

Regards,
Martin

**DarioCrivelli** · July 17th, 2007, 08:20 AM

Hi Martin

may you please clarify your security concerns?
We aim to guarantee security against external hosts. The JMX interface is exposed through some configurable ports, which can be hidden by the firewall and this should be enough.
However, at the moment, we don't protect the Server (and, in particular, its JMX interface) against its own Adapters. We consider the Server and all configured Adapters as "friends". In fact, they all lie in the same ClassLoader.

Dario

**churrusco** · July 17th, 2007, 09:21 AM

Hi Dario.

The problem is not the adapter but an attacker from outside that box, even within the green zone. You can enable some firewall rules to protect you from external attackers but within your intranet probably your sysadmins will want to be able to use the JMX console wherever they are.

As far as I know, there is no authentication for the JMX RMI interface so anyone that is in the intranet can open a JMX console and kill other user's sessions. Correct me if I'm wrong as I haven't tried it so it is only speculation.

Anyways, not a big issue for as and I suppose it could be an improvement.

**DarioCrivelli** · July 18th, 2007, 09:54 AM

Hi Martin,

Indeed, such a protection in the JMX access is lacking.
The extension is in our roadmap, but no time references have been set yet.

Dario

**churrusco** · July 23rd, 2007, 12:14 PM

Thanks Dario,

that's good to know.

Is there any reason why Lighstreamer is using its own JMX server implementation instead of using the JDK Platform MBean Server?

Martin

**Alessandro** · July 24th, 2007, 11:45 AM

Hi Martin,

Lightstreamer Server uses Sun's MBean Server (in particular, Sun's JMX Reference Implementation and Sun's JMX Remote API). You can find the related JAR files under "\Lightstreamer\lib".