1 2 Previous Next 27 Replies Latest reply: Sep 19, 2013 4:07 AM by Vinh Ong RSS

Securing the JMX Console

Bhanu Pratap Padmanabhuni Newbie

Hi,

 

I am working on securing the JMX console for JBOSS 4.2.1 and following the below article to make the necessary configuration changes:

 

http://community.jboss.org/wiki/securetheJmxConsole

 

But, even after doing the necessary steps and when I tried to login to the JMX console it is not working...I am getting the below error message int he Jboss server console:

 

13:48:00,014 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
        at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
        at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
        at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
        at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)

 

I did the below steps:

 

1. {jboss.server.home.dir}/deploy/jmx-console.war/WEB-INF/web.xml : Uncommented the block :<security-constraint>
and added <login-config> block like the one below:

<login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>jmx-console</realm-name>
   </login-config>

 

2. Changed the username/password in the file :

{jboss.server.home.dir}/conf/props/jmx-console-users.properties

 

3. {jboss.server.home.dir}/conf/login-config.xml
Changed the path to the web-console-users.properties and the web-console-roles.properties as follows (add props/ to the front of the path)

Restarted my server and tried to login to JMX- Console, it is prompting for the user/pwd but when I give the right one it is giving the above error.

 

Can some body please guide me through the steps.

 

I have attached the files I have changed.

 

Thanks,

Bhanu.

  • 1. Re: Securing the JMX Console
    Bhanu Pratap Padmanabhuni Newbie

    I was able to make it work. Please follow the below steps:

     

    1. {jboss.server.home.dir}/deploy/jmx-console.war/WEB-INF/web.xml :

    Uncomment the block :<security-constraint>

    And add <login-config> block like the one below:

     

       <security-constraint>

         <web-resource-collection>

           <web-resource-name>HtmlAdaptor</web-resource-name>

           <description>An example security config that only allows users with the

             role JBossAdmin to access the HTML JMX console web application

           </description>

           <url-pattern>/*</url-pattern>

           <http-method>GET</http-method>

           <http-method>POST</http-method>

         </web-resource-collection>

         <auth-constraint>

           <role-name>JBossAdmin</role-name>

         </auth-constraint>

       </security-constraint>

     

       <login-config>

          <auth-method>BASIC</auth-method>

          <realm-name>jmx-console</realm-name>

       </login-config>

     

       <security-role>

          <role-name>JBossAdmin</role-name>

       </security-role>

     

    2. {jboss.server.home.dir}/deploy/jmx-console.war/WEB-INF/jboss-web.xml

    Uncomment the security-domain block:

    <security-domain>java:/jaas/jmx-console</security-domain>

     

    3. Change the username/password in the file :

     

    {jboss.server.home.dir}/conf/props/jmx-console-users.properties

    Eg: admin=admin (or give your own password)

     

    And the file {jboss.server.home.dir}/conf/props/jmx-console-roles.properties should have the below entry (the user mapped to the JBossAdmin role)

     

    admin=JBossAdmin,HttpInvoker

     

    4. {jboss.server.home.dir}/conf/login-config.xml

    Change the path to the web-console-users.properties and the web-console-roles.properties as follows (add props/ to the front of the path)

     

        <application-policy name = "jmx-console">

           <authentication>

              <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"

                 flag = "required">

               <module-option>props\jmx-console-users.properties</module-option>

               <module-option>props\jmx-console-roles.properties</module-option>

              </login-module>

           </authentication>

        </application-policy>

  • 2. Securing the JMX Console
    edgarosy Newbie

    I know this post has been here for a while, but I do have a question about it since I recently started using Jboss 5 and noticed that the http://localhost:8080/jmx-console page is opened to everyone.

     

    I followed all of your steps and am able to get the login screen. Once I  input the user name & password I configured on the jmx-console-users.properties I don't get any errors on the page itself but instead it keeps redirecting me back to the login prompt even though I am typing the correct user name & password information.

     

    When I look at the server.log on the server itself I see these error messages. What did I do wrong and can any of you help me figure this out.

     

    ER [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Failed to load users/passwords/role files

              java.io.IOException: No properties file: props/users.properties or defaults: defaultUsers.properties found

              at org.jboss.security.auth.spi.Util.loadProperties(Util.java:198)

              at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)

              at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)

              at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

              at java.lang.reflect.Method.invoke(Method.java:597)

              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)

              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)

              at java.security.AccessController.doPrivileged(Native Method)

              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

              at javax.security.auth.login.LoginContext.login(LoginContext.java:579)

              at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)

              at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)

              at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)

              at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)

              at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)

              at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)

              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)

              at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)

              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

              at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)

              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)

              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)

              at java.lang.Thread.run(Thread.java:619)

     

     

    Thank you.

  • 3. Securing the JMX Console
    edgarosy Newbie

    Nevermind. I got it working.

     

    bah.

  • 4. Securing the JMX Console
    Daniel Manyemwe Newbie

    Hi All,

     

    I have followed the steps at http://community.jboss.org/wiki/SecureTheJmxConsole exactly but I am still not being prompted for a user name and password! Is there another configuration elsewhere in JBoss that overrides the application policy? Im using JBoss-5.1.0.GA. Thanks!

     

    login-config.xml [jboss-5.1.0.GA/server/default/conf/login-config.xml]

    ...

      <application-policy name="jmx-console">

        <authentication>

          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"

            flag="required">

            <module-option name="usersProperties">props/jmx-console-users.properties</module-option>

            <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>

          </login-module>

        </authentication>

      </application-policy>

    ...

     

    jboss-web.xml [jboss-5.1.0.GA/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml]

    <jboss-web>

          <security-domain>java:/jaas/jmx-console</security-domain>  

    </jboss-web>

     

    Web.xml [jboss-5.1.0.GA/server/default/deploy/jmx-console.war/WEB-INF/web.xml]

    ...

    <security-constraint>

         <web-resource-collection>

           <web-resource-name>HtmlAdaptor</web-resource-name>

           <description>An example security config that only allows users with the

             role JBossAdmin to access the HTML JMX console web application

           </description>

           <url-pattern>/*</url-pattern>

           <http-method>GET</http-method>

           <http-method>POST</http-method>

         </web-resource-collection>

         <auth-constraint>

           <role-name>JBossAdmin</role-name>

         </auth-constraint>

       </security-constraint>

      

     

       <login-config>

          <auth-method>BASIC</auth-method>

          <realm-name>jmx-console</realm-name>

       </login-config>

     

       <security-role>

          <role-name>JBossAdmin</role-name>

       </security-role>

    </web-app>

     

    My users and roles properties files are fine since the login works for the admin-console (it uses java:/jaas/jmx-console as well).

  • 5. Securing the JMX Console
    Nicklas Karlsson Master

    Tried on a clean browser / after a server restart? If you share domains (e.g with the admin-console) it might remember your previous login?

  • 6. Securing the JMX Console
    Daniel Manyemwe Newbie

    Hi Nicklas,

     

    Thank you for the quick response. Yes, I have restarted the jboss service several times and have tried from a fresh install of Chrome, it always enters without prompting for credentials. I thought there may be another setting somewhere that overrides this? Note though that it does ask for the credentials when I log into the admin-console. Any ideas?

  • 7. Securing the JMX Console
    Nicklas Karlsson Master

    Not really, I've only done it on AS 6 but I would think as long as the correct security related blocks were uncommented in both web.xml and jboss-web.xml, it should start working...

  • 8. Securing the JMX Console
    Daniel Manyemwe Newbie

    Ok, there must be some caching going on somewhere then, will try rebooting and deleting temp files. Thanks!

  • 9. Securing the JMX Console
    Daniel Manyemwe Newbie

    Still no luck, this is very strange. There must be another config somewhere thats blocking my auth.

  • 10. Securing the JMX Console
    Nicklas Karlsson Master

    And you're sure you have edited the correct web.xml and jboss-web.xml files? What are the full paths to them?

  • 11. Securing the JMX Console
    Daniel Manyemwe Newbie

    I'm quite sure, the files edited are as below - full paths in [square brackets]:

     

    login-config.xml [jboss-5.1.0.GA/server/default/conf/login-config.xml]

    ...

      <application-policy name="jmx-console">

        <authentication>

          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"

            flag="required">

            <module-option name="usersProperties">props/jmx-console-users.properties</module-option>

            <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>

          </login-module>

        </authentication>

      </application-policy>

    ...

     

    jboss-web.xml [jboss-5.1.0.GA/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml]

    <jboss-web>

          <security-domain>java:/jaas/jmx-console</security-domain>  

    </jboss-web>

     

    Web.xml [jboss-5.1.0.GA/server/default/deploy/jmx-console.war/WEB-INF/web.xml]

    ...

    <security-constraint>

         <web-resource-collection>

           <web-resource-name>HtmlAdaptor</web-resource-name>

           <description>An example security config that only allows users with the

             role JBossAdmin to access the HTML JMX console web application

           </description>

           <url-pattern>/*</url-pattern>

           <http-method>GET</http-method>

           <http-method>POST</http-method>

         </web-resource-collection>

         <auth-constraint>

           <role-name>JBossAdmin</role-name>

         </auth-constraint>

       </security-constraint>

      

     

       <login-config>

          <auth-method>BASIC</auth-method>

          <realm-name>jmx-console</realm-name>

       </login-config>

     

       <security-role>

          <role-name>JBossAdmin</role-name>

       </security-role>

    </web-app>

  • 12. Securing the JMX Console
    edgarosy Newbie

    What about the /jboss/server/instance/deploy/management/console-mgr.sar/web-console.war/WEB-INF web.xml and jboss-web.xml file. Did you comment out the security blocks there too?

  • 13. Securing the JMX Console
    Daniel Manyemwe Newbie

    I think those configs are for the web console, the security domain there is java:/jaas/web-console. But to answer your question, yes I did! The web-console actually has the same problem as the jmx-console, it is also not showing the credential dialog.

  • 14. Securing the JMX Console
    edgarosy Newbie

    Is your /opt/jboss/server/instance/conf/props  jmx-console-roles.properties & web-console-roles.properties configured like this:

     

    username=JBossAdmin,HttpInvoker (username = to whatever you place under the jmx-console-roles.properties)

     

    your jmx-console-users.properties & web-console-users.properties should be configured like this:

     

    username=domain

     

    I am new to Jboss, but I was also having a hard time getting this to work.

1 2 Previous Next