Always I want to protect the jmx-console and web-console on JBoss 4.2.x I look forward something that works effectivelly… let’s go.
After installing the JBOSS Application Server, the jmx console can be accessed by anybody without providing any username/password. This is a big security risk as anybody can perform changes though the jmx and web console. Setting up basic username/password security for the jboss jmx/web console can be accomplished by performing the following steps on the JBoss Application Server.
- Edit $JBOSS_HOME/server/all/conf/props/jmx-console-users.properties to add jmx console users. Replace “all” with your JBOSS profile name. The syntax to add users is username=password. By default admin user would be available in this file with admin as password.
- o provide admin privileges on jmx and web console to the newly created user, edit jmx-console-roles.properties file available in $JBOSS_HOME/server/all/conf/props folder and add username=JBossAdmin.
- Edit $JBOSS_HOME/server/all/deploy/jmx-console.war/WEB-INF/jboss-web.xml file and uncomment the security domain as shown below.
<jboss-web> <security-domain>java:/jaas/jmx-console</security-domain> </jboss-web>
- Edit $JBOSS_HOME/server/all/deploy/jmx-console.war/WEB-INF/web.xml file and uncomment the security constraint as shown below.
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
- The location, path or name of the users and roles configuration files i.e. jmx-console-users.properties or jmx-console-roles.properties can be changed by editing $JBOSS_HOME/server/all/conf/login-config.xml file. Sample configuration is given below.
<application-policy name=”jmx-console”>
<authentication>
<login-module code=“org.jboss.security.auth.spi.UsersRolesLoginModule” flag=”required”>
<module-option name=”usersProperties”>props/jmx-console-users.properties</module-option>
<module-option name=”rolesProperties”>props/jmx-console-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
- So, you still need protect the web-console on the same file; just copy jmx-console-users.properties and jmx-console-roles.properties to web-console-users.properties or web-console-roles.properties and modify it (take care to put props before the configuration files)
<application-policy name = "web-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">props/web-console-users.properties</module-option>
<module-option name="rolesProperties">props/web-console-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
- Edit $JBOSS_HOME/server/all/deploy/management/console-mgr.sar/ web-console.war/WEB-INF/jboss-web.xml file and remove the comment of the security domain as shown below.
<jboss-web> <security-domain>java:/jaas/web-console</security-domain> <depends>jboss.admin:service=PluginManager</depends> </jboss-web>
- Edit $JBOSS_HOME/server/all/deploy/management/console-mgr.sar/ web-console.war/WEB-INF/web.xml file and remove the comment of the security constraint as shown below.
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
- Finally, let protect JBoss web service console…
- Edit $JBOSS_HOME/server/all/deploy/jbossws.sar/jbossws-context.war/WEB-INF/jboss-web.xml file and remove the comment of the security domain as shown below.
<jboss-web> <!-- A security domain that restricts access --> <security-domain>java:/jaas/JBossWS</security-domain> <context-root>jbossws</context-root> </jboss-web>
- Edit $JBOSS_HOME/server/all/deploy/jbossws.sar/jbossws-context.war/WEB-INF/web.xml file and remove the comment of the security constraint as shown below.
<security-constraint>
<web-resource-collection>
<web-resource-name>ContextServlet</web-resource-name>
<description>An example security config that only allows users with the
role 'friend' to access the JBossWS console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>friend</role-name>
</auth-constraint>
</security-constraint>
- The location, path or name of the users and roles configuration files i.e. jbossws-users.properties or jbossws-roles.properties can be changed by editing $JBOSS_HOME/server/all/conf/login-config.xml file. Coment the option “unauthenticatedIdentity“. Sample configuration is given below.
<application-policy name="JBossWS">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag="required">
<module-option name="usersProperties">props/jbossws-users.properties</module-option>
<module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
<!-- module-option name="unauthenticatedIdentity">anonymous</module-option -->
</login-module>
</authentication>
</application-policy>
- Restart JBOSS.
Note: this post is result from cut/copy/insert/modify from some others posts provided from jboss community; it belongs to us. Thanks all!
