1 2 Previous Next 27 Replies Latest reply on Sep 19, 2013 4:07 AM by omvinh Go to original post
      • 15. Securing the JMX Console
        dlofthouse

        Are you definately running the default configuration?  If you check under server/default/log are you seeing the server.log and boot.log updated recently?

        • 16. Securing the JMX Console
          edgarosy

          Yes. I can see both being updated today.

          • 17. Securing the JMX Console
            dmanyemwe

            Yes, it is configured that way. I have done this before and it worked fine on AS 6.0.0 but its been giving me trouble since yesterday on AS 5.1.0! I know the .properties files are fine because if I log in using the admin-console (which also uses the jmx-console security domain), the username and password combination it accepts is the one I have in my properties file. It is supposed to be straight forward!

            • 18. Securing the JMX Console
              dmanyemwe

              Definitely, if i rename my jmx-console.war i see it being undeployed in my log file (I am tailing it)

              • 19. Securing the JMX Console
                dlofthouse

                edgarosy wrote:

                 

                Yes. I can see both being updated today.

                 

                That question was to Daniel as it is his configuration not being picked up

                • 20. Securing the JMX Console
                  dlofthouse

                  Ok, in that case have you ever entered a valid username and password into a pop up window in your web browser?  For BASIC authentication it is quite common for the browser to cache the credentials and automatically present them to the server without further prompts.

                   

                  If you have one available maybe try a connection from a machine / browser that has not been used to connect to the JMX console previously.

                  • 21. Re: Securing the JMX Console
                    dmanyemwe

                    That was my thinking as well, so I downloaded Chrome and tried with it, same thing, direct access!

                     

                    Just tried from a non-dev machine, same thing, so it definitely isnt caching. I even rebooted the server, didnt work.

                    • 22. Securing the JMX Console
                      sheital

                      Even I am facing same issue, made changes in the web.xml, jboss-web.xml,login-config and the user.properties file. Still the popup to login for jmx-console does not appear. The jmx-console simply comes without the popup.

                       

                      Daniel Manyemwe wrote:

                       

                      That was my thinking as well, so I downloaded Chrome and tried with it, same thing, direct access!

                       

                      Just tried from a non-dev machine, same thing, so it definitely isnt caching. I even rebooted the server, didnt work.


                      Were you able to find a solution for it?I have made the following changes.

                       

                       

                      C:\Program Files\jboss-5.1.0.GA\server\default\deploy\jmx-console.war\WEB-INF\web.xml

                       

                         <!-- A security constraint that restricts access to the HTML JMX console
                         to users with the role JBossAdmin. Edit the roles to what you want and
                         uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
                         secured access to the HTML JMX console.-->
                         <security-constraint>
                           <web-resource-collection>
                             <web-resource-name>HtmlAdaptor</web-resource-name>
                             <description>An example security config that only allows users with the
                               role JBossAdmin to access the HTML JMX console web application
                             </description>
                             <url-pattern>/*</url-pattern>
                             <http-method>GET</http-method>
                             <http-method>POST</http-method>
                           </web-resource-collection>
                           <auth-constraint>
                             <role-name>JBossAdmin</role-name>
                           </auth-constraint>
                         </security-constraint>
                        

                         <login-config>
                            <auth-method>BASIC</auth-method>
                            <realm-name>JBoss JMX Console</realm-name>
                         </login-config>

                         <security-role>
                            <role-name>JBossAdmin</role-name>
                         </security-role>
                      </web-app>

                       

                       

                       

                       

                      C:\Program Files\jboss-5.1.0.GA\server\default\deploy\jmx-console.war\WEB-INF\jboss-web.xml

                       

                      <jboss-web>

                         <!-- Uncomment the security-domain to enable security. You will

                            need to edit the htmladaptor login configuration to setup the

                            login modules used to authentication users. -->

                            <security-domain>java:/jaas/jmx-console</security-domain>

                       

                      </jboss-web>

                       

                       

                       

                       

                      C:\Program Files\jboss-5.1.0.GA\server\default\conf\login-config.xml

                       

                        <!-- A template configuration for the jmx-console web application. This

                          defaults to the UsersRolesLoginModule the same as other and should be

                          changed to a stronger authentication mechanism as required.

                        -->

                        <application-policy name="jmx-console">

                          <authentication>

                            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"

                              flag="required">

                              <module-option name="usersProperties">props/jmx-console-users.properties</module-option>

                              <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>

                            </login-module>

                          </authentication>

                        </application-policy>

                      • 23. Securing the JMX Console
                        dmanyemwe

                        Hi Henna,

                         

                        Unfortunately I have not solved this problem, but the more secure alternative is to just undeploy the jmx-console. You can move the whole jmx-console.war directory out of /deploy, and should you need it again you can move it in.. not the best solution but given my time constraints thats the best I could come up with!

                         

                        Good luck.

                        • 24. Securing the JMX Console
                          sheital

                          Daniel,

                           

                          I am able to make it work by making same changes in the files present under JBoss folder present in my code and not under server directory.

                          Thanks for the suggestion.

                          • 25. Securing the JMX Console
                            vgarmash

                            for those who find this topic by search:

                             

                            There is a community courtesy notification for a severe security issue affecting some of the JBoss projects and products. Default security settings in web.xml protect only GET and POST protocols leaving another ones open. Please refer to the following Red Hat KBase article for more information:

                             

                            JBoss Products & CVE-2010-0738

                             

                            Only when you apply the solution you can be sure that your JMX Console is protected.

                            Please note that Web Console has the same issue, and you need to apply the solution to it as well.

                             

                            Also it is recommended to hash passwords in the config files. Read about how to do it in JBoss Getting Started guide.

                            • 26. Securing the JMX Console
                              vgarmash
                              • 27. Re: Securing the JMX Console
                                omvinh

                                I was somehow having the same problem. I made it work as follow:

                                edit default/deploy/jbossweb.sar/server.xml

                                I found there is missing:

                                <Realm className="org.jboss.web.tomcat.security.JBossWebRealm"
                                certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
                                allRolesMode="authOnly"
                                />

                                between "<Engine name="jboss.web" defaultHost="localhost">" and "<Host name="localhost">"

                                 

                                I am not sure why this is missing. The latest version of Jboss 5.1.0.GA is OK. Maybe, some version before missed it.

                                1 2 Previous Next