1 2 Previous Next 27 Replies Latest reply: Sep 19, 2013 4:07 AM by Vinh Ong Go to original post RSS
  • 15. Securing the JMX Console
    Darran Lofthouse Master

    Are you definately running the default configuration?  If you check under server/default/log are you seeing the server.log and boot.log updated recently?

  • 16. Securing the JMX Console
    edgarosy Newbie

    Yes. I can see both being updated today.

  • 17. Securing the JMX Console
    Daniel Manyemwe Newbie

    Yes, it is configured that way. I have done this before and it worked fine on AS 6.0.0 but its been giving me trouble since yesterday on AS 5.1.0! I know the .properties files are fine because if I log in using the admin-console (which also uses the jmx-console security domain), the username and password combination it accepts is the one I have in my properties file. It is supposed to be straight forward!

  • 18. Securing the JMX Console
    Daniel Manyemwe Newbie

    Definitely, if i rename my jmx-console.war i see it being undeployed in my log file (I am tailing it)

  • 19. Securing the JMX Console
    Darran Lofthouse Master

    edgarosy wrote:

     

    Yes. I can see both being updated today.

     

    That question was to Daniel as it is his configuration not being picked up

  • 20. Securing the JMX Console
    Darran Lofthouse Master

    Ok, in that case have you ever entered a valid username and password into a pop up window in your web browser?  For BASIC authentication it is quite common for the browser to cache the credentials and automatically present them to the server without further prompts.

     

    If you have one available maybe try a connection from a machine / browser that has not been used to connect to the JMX console previously.

  • 21. Re: Securing the JMX Console
    Daniel Manyemwe Newbie

    That was my thinking as well, so I downloaded Chrome and tried with it, same thing, direct access!

     

    Just tried from a non-dev machine, same thing, so it definitely isnt caching. I even rebooted the server, didnt work.

  • 22. Securing the JMX Console
    Henna M Newbie

    Even I am facing same issue, made changes in the web.xml, jboss-web.xml,login-config and the user.properties file. Still the popup to login for jmx-console does not appear. The jmx-console simply comes without the popup.

     

    Daniel Manyemwe wrote:

     

    That was my thinking as well, so I downloaded Chrome and tried with it, same thing, direct access!

     

    Just tried from a non-dev machine, same thing, so it definitely isnt caching. I even rebooted the server, didnt work.


    Were you able to find a solution for it?I have made the following changes.

     

     

    C:\Program Files\jboss-5.1.0.GA\server\default\deploy\jmx-console.war\WEB-INF\web.xml

     

       <!-- A security constraint that restricts access to the HTML JMX console
       to users with the role JBossAdmin. Edit the roles to what you want and
       uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
       secured access to the HTML JMX console.-->
       <security-constraint>
         <web-resource-collection>
           <web-resource-name>HtmlAdaptor</web-resource-name>
           <description>An example security config that only allows users with the
             role JBossAdmin to access the HTML JMX console web application
           </description>
           <url-pattern>/*</url-pattern>
           <http-method>GET</http-method>
           <http-method>POST</http-method>
         </web-resource-collection>
         <auth-constraint>
           <role-name>JBossAdmin</role-name>
         </auth-constraint>
       </security-constraint>
      

       <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>JBoss JMX Console</realm-name>
       </login-config>

       <security-role>
          <role-name>JBossAdmin</role-name>
       </security-role>
    </web-app>

     

     

     

     

    C:\Program Files\jboss-5.1.0.GA\server\default\deploy\jmx-console.war\WEB-INF\jboss-web.xml

     

    <jboss-web>

       <!-- Uncomment the security-domain to enable security. You will

          need to edit the htmladaptor login configuration to setup the

          login modules used to authentication users. -->

          <security-domain>java:/jaas/jmx-console</security-domain>

     

    </jboss-web>

     

     

     

     

    C:\Program Files\jboss-5.1.0.GA\server\default\conf\login-config.xml

     

      <!-- A template configuration for the jmx-console web application. This

        defaults to the UsersRolesLoginModule the same as other and should be

        changed to a stronger authentication mechanism as required.

      -->

      <application-policy name="jmx-console">

        <authentication>

          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"

            flag="required">

            <module-option name="usersProperties">props/jmx-console-users.properties</module-option>

            <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>

          </login-module>

        </authentication>

      </application-policy>

  • 23. Securing the JMX Console
    Daniel Manyemwe Newbie

    Hi Henna,

     

    Unfortunately I have not solved this problem, but the more secure alternative is to just undeploy the jmx-console. You can move the whole jmx-console.war directory out of /deploy, and should you need it again you can move it in.. not the best solution but given my time constraints thats the best I could come up with!

     

    Good luck.

  • 24. Securing the JMX Console
    Henna M Newbie

    Daniel,

     

    I am able to make it work by making same changes in the files present under JBoss folder present in my code and not under server directory.

    Thanks for the suggestion.

  • 25. Securing the JMX Console
    Viacheslav Garmash Newbie

    for those who find this topic by search:

     

    There is a community courtesy notification for a severe security issue affecting some of the JBoss projects and products. Default security settings in web.xml protect only GET and POST protocols leaving another ones open. Please refer to the following Red Hat KBase article for more information:

     

    JBoss Products & CVE-2010-0738

     

    Only when you apply the solution you can be sure that your JMX Console is protected.

    Please note that Web Console has the same issue, and you need to apply the solution to it as well.

     

    Also it is recommended to hash passwords in the config files. Read about how to do it in JBoss Getting Started guide.

  • 27. Re: Securing the JMX Console
    Vinh Ong Newbie

    I was somehow having the same problem. I made it work as follow:

    edit default/deploy/jbossweb.sar/server.xml

    I found there is missing:

    <Realm className="org.jboss.web.tomcat.security.JBossWebRealm"
    certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
    allRolesMode="authOnly"
    />

    between "<Engine name="jboss.web" defaultHost="localhost">" and "<Host name="localhost">"

     

    I am not sure why this is missing. The latest version of Jboss 5.1.0.GA is OK. Maybe, some version before missed it.

1 2 Previous Next