blank page on jmx-console
devils_lick Jul 19, 2010 5:07 PMI am a new to jboss so i really dont have anyknowledge on it. well my situation is this: i need to secure jmx-webconsole. I found a couple of good articles on how to do it and performed it step by step but the thing is that i got the login prompt for jmx-console but when i enter the username and password it displays the blank page.
here are the steps that i followed:
1. locate web.xml file
it was under ::
/usr/java/jboss-4.0.1sp1/server/default/deploy/jmx-console.war/WEB-INF/web.xml /usr/java/jboss-4.0.1sp1/server/all/deploy/jmx-console.war/WEB-INF/web.xml /usr/java/jboss-4.0.1sp1/server/site-minimal/deploy/jmx-console.war/WEB-INF/web.xml
but since we are using the minimal configuration
#ps -ef | grep jboss showed
jboss 4828 1 0 02:43 ? 00:00:00 /bin/sh /usr/java/jboss/bin/run.sh -c site-minimal jboss 4834 4828 1 02:43 ? 00:08:03 /usr/java/java_home/bin/java -server -Xms256m -Xmx1024m -Dprogram.name=run.sh -Djava.endorsed.dirs=/usr/java/jboss/lib/endorsed -classpath /usr/java/jboss/bin/run.jar:/usr/java/java_home/lib/tools.jar org.jboss.Main -c site-minimal
2. i uncommented security constraint part
<!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console.--> <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>JBoss JMX Console</realm-name> </login-config> <security-role> <role-name>JBossAdmin</role-name> </security-role> </web-app>
2. locate jboss-web.xml file and edit it as following:
<jboss-web> <!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users.--> <security-domain>java:/jaas/jmx-console</security-domain> </jboss-web>
3. locate login-config.xml file,the contents of it are as follows:
<?xml version='1.0'?> <!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN" "http://www.jboss.org/j2ee/dtd/security_config.dtd"> <!-- The XML based JAAS login configuration read by the org.jboss.security.auth.login.XMLLoginConfig mbean. Add an application-policy element for each security domain. The outline of the application-policy is: <application-policy> <authentication> <login-module code="login.module1.class.name" flag="control_flag"> <module-option name = "option1-name">option1-value</module-option> <module-option name = "option2-name">option2-value</module-option> ... </login-module> <login-module code="login.module2.class.name" flag="control_flag"> ... </login-module> ... </authentication> </application-policy> $Revision: 1.12.2.1 $ --> <policy> <!-- Used by clients within the application server VM such as mbeans and servlets that access EJBs. --> <application-policy name = "client-login"> <authentication> <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"> </login-module> </authentication> </application-policy> <!-- Security domain for JBossMQ --> <application-policy name = "jbossmq"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "dsJndiName">java:/DefaultDS</module-option> <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option> <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option> </login-module> </authentication> </application-policy> <!-- Security domain for JBossMQ when using file-state-service.xml <application-policy name = "jbossmq"> <authentication> <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option> </login-module> </authentication> </application-policy> --> <!-- Security domains for testing new jca framework --> <application-policy name = "HsqlDbRealm"> <authentication> <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required"> <module-option name = "principal">sa</module-option> <module-option name = "userName">sa</module-option> <module-option name = "password"></module-option> <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option> </login-module> </authentication> </application-policy> <application-policy name = "FirebirdDBRealm"> <authentication> <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required"> <module-option name = "principal">sysdba</module-option> <module-option name = "userName">sysdba</module-option> <module-option name = "password">masterkey</module-option> <module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option> </login-module> </authentication> </authentication> </application-policy> <application-policy name = "JmsXARealm"> <authentication> <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required"> <module-option name = "principal">guest</module-option> <module-option name = "userName">guest</module-option> <module-option name = "password">guest</module-option> <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option> </login-module> </authentication> </application-policy> <!-- A template configuration for the jmx-console web application. This defaults to the UsersRolesLoginModule the same as other and should be changed to a stronger authentication mechanism as required. --> <application-policy name = "jmx-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option>jmx-console-users.properties</module-option> <module-option>jmx-console-roles.properties</module-option> </login-module> </authentication> </application-policy> <!-- A template configuration for the web-console web application. This defaults to the UsersRolesLoginModule the same as other and should be changed to a stronger authentication mechanism as required. --> <application-policy name = "web-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="usersProperties">web-console-users.properties</module-option> <module-option name="rolesProperties">web-console-roles.properties</module-option> </login-module> </authentication> </application-policy> <!-- A template configuration for the JBossWS web application (and transport layer!). This defaults to the UsersRolesLoginModule the same as other and should be changed to a stronger authentication mechanism as required. --> <application-policy> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="unauthenticatedIdentity">anonymous</module-option> </login-module> </authentication> </application-policy> <!-- The default login configuration used by any security domain that does not have a application-policy entry with a matching name --> <application-policy name = "other"> <!-- A simple server login module, which can be used when the number of users is relatively small. It uses two properties files: users.properties, which holds users (key) and their password (value). roles.properties, which holds users (key) and a comma-separated list of their roles (value). The unauthenticatedIdentity property defines the name of the principal that will be used when a null username and password are presented as is the case for an unuathenticated web client or MDB. If you want to allow such users to be authenticated add the property, e.g., unauthenticatedIdentity="nobody" --> <authentication> <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required" /> </authentication> </application-policy> </policy>
4. edited jmx-console-users.properties for admin=admin
5. a) edited jmx-console-roles.properties for
# A sample roles.properties file for use with the UsersRolesLoginModule
admin=JBossAdmin,HttpInvoker
b) moved jmx-console-users.properties and jmx-console-roles.properties from
/usr/java/jboss-4.0.1sp1/server/site-minimal/deploy/jmx-console.war/WEB-INF/classes/jmx-console-users.properties /usr/java/jboss-4.0.1sp1/server/site-minimal/deploy/jmx-console.war/WEB-INF/classes/jmx-console-roles.properties
to
/usr/java/jboss-4.0.1sp1/server/site-minimal/conf/
6. restarted jboss with /etc/init.d/jboss restart.
the problem is that it displays the login window but when you put in the username and password a blank page is displayed, but i still can browse http:\\(ip_add_of_server):8080 and not /jmx-console:
my directory listing are as follows.
/usr/java/jboss-4.0.1sp1/server/site-minimal/deploy/jmx-console.war/WEB-INF/web.xml /usr/java/jboss-4.0.1sp1/server/site--minimal/conf/login-config.xml /usr/java/jboss-4.0.1sp1/server/site-minimal/conf/jmx-console-users.properties /usr/java/jboss-4.0.1sp1/server/site-minimal/conf/classes/jmx-console-roles.properties
6 b.
7.server log shows such error::
tail -f //usr/java/jboss-4.0.1sp1/server/usr/java/jboss/server/site-minimal/log/server.log
2010-07-01 00:31:37,632 ERROR [org.apache.coyote.tomcat5.CoyoteAdapter] An exception or error occurred in the container during the request processing java.lang.SecurityException: Unable to locate a login configuration at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:97) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:494) at java.lang.Class.newInstance0(Class.java:350) at java.lang.Class.newInstance(Class.java:303) at javax.security.auth.login.Configuration$3.run(Configuration.java:216) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:210) at javax.security.auth.login.LoginContext$1.run(LoginContext.java:237) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.init(LoginContext.java:234) at javax.security.auth.login.LoginContext.<init>(LoginContext.java:367) at javax.security.auth.login.LoginContext.<init>(LoginContext.java:444) at org.jboss.security.plugins.SubjectActions$LoginContextAction.run(SubjectActions.java:95) at java.security.AccessController.doPrivileged(Native Method) at org.jboss.security.plugins.SubjectActions.createLoginContext(SubjectActions.java:152) at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:479) at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:420) at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:237) at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:210) at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:239) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:129) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:54) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683) at java.lang.Thread.run(Thread.java:595) Caused by: java.io.IOException: Unable to locate a login configuration at com.sun.security.auth.login.ConfigFile.init(ConfigFile.java:206) at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:95) ... 43 more
8. tail -f /usr/java/jboss-4.0.1sp1/server/usr/java/jboss/server/site-minimal/log/boot.log
00:31:10,865 INFO [Server] Starting JBoss (MX MicroKernel)... 00:31:10,866 INFO [Server] Release ID: JBoss [Zion] 4.0.1sp1 (build: CVSTag=JBoss_4_0_1_SP1 date=200502160314)
Can, any of u guys help me??