Month: April 2011

Securing JBOSS 4.2.x JMX and Web Console, and JBoss Web Service

Always I want to protect the jmx-console and web-console on JBoss 4.2.x I look forward something that works effectivelly… let’s go.

After installing the JBOSS Application Server, the jmx console can be accessed by anybody without providing any username/password. This is a big security risk as anybody can perform changes though the jmx and web console. Setting up basic username/password security for the jboss jmx/web console can be accomplished by performing the following steps on the JBoss Application Server.

  • Edit $JBOSS_HOME/server/all/conf/props/jmx-console-users.properties to add jmx console users. Replace “all” with your JBOSS profile name. The syntax to add users is username=password. By default admin user would be available in this file with admin as password.
  • o provide admin privileges on jmx and web console to the newly created user, edit jmx-console-roles.properties file available in $JBOSS_HOME/server/all/conf/props folder and add username=JBossAdmin.
  • Edit $JBOSS_HOME/server/all/deploy/jmx-console.war/WEB-INF/jboss-web.xml file and uncomment the security domain as shown below.
<jboss-web>
  <security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>
  • Edit $JBOSS_HOME/server/all/deploy/jmx-console.war/WEB-INF/web.xml file and uncomment the security constraint as shown below.
<security-constraint>
  <web-resource-collection>
    <web-resource-name>HtmlAdaptor</web-resource-name>
    <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application</description>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>JBossAdmin</role-name>
  </auth-constraint>
</security-constraint>
  • The location, path or name of the users and roles configuration files i.e. jmx-console-users.properties or jmx-console-roles.properties can be changed by editing $JBOSS_HOME/server/all/conf/login-config.xml file. Sample configuration is given below.
<application-policy name=”jmx-console”>
  <authentication>
    <login-module code=“org.jboss.security.auth.spi.UsersRolesLoginModule” flag=”required”>
      <module-option name=”usersProperties”>props/jmx-console-users.properties</module-option>
      <module-option name=”rolesProperties”>props/jmx-console-roles.properties</module-option>
    </login-module>
  </authentication>
</application-policy>
  • So, you still need protect the web-console on the same file; just copy jmx-console-users.properties and jmx-console-roles.properties to web-console-users.properties or web-console-roles.properties and modify it (take care to put props before the configuration files)
<application-policy name = "web-console">
   <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
         flag = "required">
         <module-option name="usersProperties">props/web-console-users.properties</module-option>
         <module-option name="rolesProperties">props/web-console-roles.properties</module-option>
      </login-module>
   </authentication>
</application-policy>
  • Edit $JBOSS_HOME/server/all/deploy/management/console-mgr.sar/ web-console.war/WEB-INF/jboss-web.xml file and remove the comment of the security domain as shown below.
<jboss-web>
  <security-domain>java:/jaas/web-console</security-domain>
  <depends>jboss.admin:service=PluginManager</depends>
</jboss-web>
  • Edit $JBOSS_HOME/server/all/deploy/management/console-mgr.sar/ web-console.war/WEB-INF/web.xml file and remove the comment of the security constraint as shown below.
<security-constraint>
  <web-resource-collection>
    <web-resource-name>HtmlAdaptor</web-resource-name>
      <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application
      </description>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
  • Finally, let protect JBoss web service console…
  • Edit $JBOSS_HOME/server/all/deploy/jbossws.sar/jbossws-context.war/WEB-INF/jboss-web.xml file and remove the comment of the security domain as shown below.
<jboss-web>
  <!-- A security domain that restricts access -->
  <security-domain>java:/jaas/JBossWS</security-domain>
  <context-root>jbossws</context-root>
</jboss-web>
  • Edit $JBOSS_HOME/server/all/deploy/jbossws.sar/jbossws-context.war/WEB-INF/web.xml file and remove the comment of the security constraint as shown below.
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>ContextServlet</web-resource-name>
       <description>An example security config that only allows users with the
         role 'friend' to access the JBossWS console web application
       </description>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>friend</role-name>
     </auth-constraint>
   </security-constraint>
  • The location, path or name of the users and roles configuration files i.e. jbossws-users.properties or jbossws-roles.properties can be changed by editing $JBOSS_HOME/server/all/conf/login-config.xml file. Coment the option “unauthenticatedIdentity“. Sample configuration is given below.
    <application-policy name="JBossWS">
      <authentication>
        <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
          flag="required">
          <module-option name="usersProperties">props/jbossws-users.properties</module-option>
          <module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
          <!-- module-option name="unauthenticatedIdentity">anonymous</module-option -->
        </login-module>
      </authentication>
    </application-policy>
  • Restart JBOSS.

Note: this post is result from cut/copy/insert/modify from some others posts provided from jboss community; it belongs to us. Thanks all!

Insert date value in PreparedStatement

A simple table script in Oracle database.

CREATE TABLE DBUSER ( 
  USER_ID       NUMBER (5)    NOT NULL, 
  USERNAME      VARCHAR2 (20)  NOT NULL, 
  CREATED_BY    VARCHAR2 (20)  NOT NULL, 
  CREATED_DATE  DATE          NOT NULL, 
  PRIMARY KEY ( USER_ID ) 
 )

No idea how to insert current date value, e.g. “04/04/2011” into “CREATED_DATE” field, via JDBC PreparedStatement.

String insertTableSQL = "INSERT INTO DBUSER"
		+ "(USER_ID, USERNAME, CREATED_BY, CREATED_DATE) VALUES"
		+ "(?,?,?,?)";
preparedStatement = dbConnection.prepareStatement(insertTableSQL);
preparedStatement.setDate(4, ???);

Solution

The “preparedStatement.setDate()” method is accept a java.sql.Date parameter, so, you have to convert from java.util.Date to java.sql.Date.

For example, create a method to return current date, and convert it java.sql.Date :

private static java.sql.Date getCurrentDate() {
    java.util.Date today = new java.util.Date();
    return new java.sql.Date(today.getTime());
}

And set the returned date via preparedStatement.setDate().

String insertTableSQL = "INSERT INTO DBUSER"
	+ "(USER_ID, USERNAME, CREATED_BY, CREATED_DATE) VALUES"
	+ "(?,?,?,?)";
preparedStatement = dbConnection.prepareStatement(insertTableSQL);
preparedStatement.setDate(4, getCurrentDate());

Done.

 

JDBC PrepareStatement example – Create a table

Here’s an example to show you how to create a table in database via JDBC PrepareStatement. To issue a create statement, calls the PrepareStatement.executeUpdate() method like this :

PreparedStatement preparedStatement = dbConnection.prepareStatement(createTableSQL);
// execute CREATE SQL stetement
preparedStatement.executeUpdate();

Full example…

package br.com.ziben.jdbc;

import java.sql.DriverManager;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.SQLException;

public class JDBCPreparedStatementCreateExample {

	private static final String DB_DRIVER = "oracle.jdbc.driver.OracleDriver";
	private static final String DB_CONNECTION = "jdbc:oracle:thin:@localhost:1521:ZIBEN";
	private static final String DB_USER = "user";
	private static final String DB_PASSWORD = "password";

	public static void main(String[] argv) {
		try {
			createTable();
		} catch (SQLException e) {
			System.out.println(e.getMessage());
		}
	}
	private static void createTable() throws SQLException {
		Connection dbConnection = null;
		PreparedStatement preparedStatement = null;

		String createTableSQL = "CREATE TABLE DBUSER1("
				+ "USER_ID NUMBER(5) NOT NULL, "
				+ "USERNAME VARCHAR(20) NOT NULL, "
				+ "CREATED_BY VARCHAR(20) NOT NULL, "
				+ "CREATED_DATE DATE NOT NULL, " + "PRIMARY KEY (USER_ID) "
				+ ")";
		try {
			dbConnection = getDBConnection();
			preparedStatement = dbConnection.prepareStatement(createTableSQL);

			System.out.println(createTableSQL);

			// execute create SQL stetement
			preparedStatement.executeUpdate();

			System.out.println("Table \"dbuser\" is created!");

		} catch (SQLException e) {
			System.out.println(e.getMessage());
		} finally {
			if (preparedStatement != null) {
				preparedStatement.close();
			}
			if (dbConnection != null) {
				dbConnection.close();
			}
		}
	}

	private static Connection getDBConnection() {
		Connection dbConnection = null;

		try {
			Class.forName(DB_DRIVER);
		} catch (ClassNotFoundException e) {
			System.out.println(e.getMessage());
		}

		try {
			dbConnection = DriverManager.getConnection(
                            DB_CONNECTION, DB_USER,DB_PASSWORD);
			return dbConnection;
		} catch (SQLException e) {
			System.out.println(e.getMessage());
		}
		return dbConnection;
	}
}

Result

A table named “DBUSER” is created.

CREATE TABLE DBUSER(
   USER_ID NUMBER(5) NOT NULL,
   USERNAME VARCHAR(20) NOT NULL,
   CREATED_BY VARCHAR(20) NOT NULL,
   CREATED_DATE DATE NOT NULL,
   PRIMARY KEY (USER_ID)
)

TABLE "dbuser" IS created!

 

Ubuntu Oneiric Ocelot: Next after Natty?

The naming of cats is a difficult matter

It isn’t just one of your holiday games.

– T S Eliot, The Naming of Cats

For the next cycle, I think we’ll leave the oceanic theme behind. The “oddball octopus”, for example, is a great name but not one we’ll adopt this time around. Perhaps in 13 years time, though!

The objective is to capture the essence of our next six months work in a simple name. Inevitably there’s an obliquity, or offbeat opportunism in the result. And perhaps this next release more than most requires something other than orthodoxy – the skunkworks are in high gear right now. Fortunately I’m assured that if one of Natty’s successors is a skunk, it would at least be a sassy skunk!

So we’re looking for a name that conveys mysterious possibility, with perhaps an ounce of overt oracular content too. Nothing too opaque, ornate, odious or orotund. Something with an orderly ring to it, in celebration of the crisp clean cadence by which we the community bring Ubuntu forth.

There’s something neat in the idea that 11.10 will mark eight years since Ubuntu was conceived (it took a little longer to be born). So “octennial” might suit… but that would be looking backwards, and we should have an eye on the future, not the past. Hmm… an eye on the future, perhaps ocular? Or oculate? We’re certainly making our way up the S-curve of adoption, so perhaps ogee would do the trick?

Alternatively, we could celebrate the visual language of Ubuntu with the “orange okapi”, or the welcoming nature of our community with the “osculant orangutan”. Nothing hugs quite like dholbach, though, and he’s no hairy ape.

What we want is something imaginative, something dreamy. Something sleek and neat, too. Something that has all the precision of T S Eliot’s poetry, matched with the “effable ineffability” of our shared values, friendship and expertise. Something that captures both the competence of ubuntu-devel with the imagination of ayatana.

Which leads us neatly to the Oneiric Ocelot.

Oneiric means “dreamy”, and the combination with Ocelot reminds me of the way innovation happens: part daydream, part discipline.

We’ll need to keep up the pace of innovation on all fronts post-Natty. Our desktop has come together beautifully, and in the next release we’ll complete the cycle of making it available to all users, with a 2D experience to complement the OpenGL based Unity for those with the hardware to handle it. The introduction of Qt means we’ll be giving developers even more options for how they can produce interfaces that are both functional and aesthetically delightful.

In the cloud, we’ll have to tighten up and make some firm decisions about the platforms we can support for 12.04 LTS. UDS in Budapest will be full of feisty debate on that front, I’m sure, but I’m equally sure we can reach a pragmatic consensus and start to focus our energies on delivering the platform for widespread cloud computing on free and flexible terms.

Ubuntu is now shipping on millions of systems from multiple providers every year. It makes a real difference in the lives of millions, perhaps tens of millions, of people. As MPT said, “what we do is not only art, it’s performance art”. Every six months the curtains part, and we have to be ready for the performance. I’d like to thank the thousands of people who are actively participating in the production of Natty: take the initiative, take responsibility, take action, and your work will make a difference to all of those users. There are very few places in the world where a personal intellectual contribution can have that kind of impact. And very few places where we have such a strong social fabric around those intellectual challenges, too. We each do what we do for our own reasons, but it’s the global impact of Ubuntu which gives meaning to that action.

Natty is a stretch release: we set out to redefine the look and feel of the free desktop. We’ll need all the feedback we can get, so please test today’s daily, or A3, and file bug reports! Keep up the discipline and focus on the Narwhal, and let’s direct our daydreaming to the Ocelot.

Originally posted by Mark Shuttleworth here on Monday, March 7, 2011.

 

Ubuntu 9.10 reaches end-of-life on April 30 2011

Ubuntu announced its 9.10 release almost 18 months ago, on October 29, 2009. As with the earlier releases, Ubuntu committed to ongoing security and critical fixes for a period of 18 months. The support period is now nearing its end and Ubuntu 9.10 will reach end of life on Friday, April 29, 2011. At that time, Ubuntu Security Notices will no longer include information or updated packages for Ubuntu 9.10.

The supported upgrade path from Ubuntu 9.10 is via Ubuntu 10.04. Instructions and caveats for the upgrade may be found at https://help.ubuntu.com/community/LucidUpgrades. Ubuntu 10.04 LTS continues to be actively supported with security updates and select high-impact bug fixes. All announcements of official security updates for Ubuntu releases are sent to the ubuntu-security-announce mailing list, information about which may be found at https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce.

Since its launch in October 2004 Ubuntu has become one of the most highly regarded Linux distributions with millions of users in homes, schools, businesses and governments around the world. Ubuntu is Open Source software, costs nothing to download, and users are free to customise or alter their software in order to meet their needs.

Originally sent to the ubuntu-announce mailing list by Kate Stewart on Tue Mar 29 02:55:03 UTC 2011