-
-
2. Re: jboss 6 Security
nitinksks Feb 29, 2012 4:51 AM (in response to nitinksks)I am providing here some console security steps..
If any body knows some more security configuration step that is usefull in Jboss 6.
Please reply me I requierd it argent basis..
Step 1: Change the JBoss Admin Password
To change the default Admin Console password, go to:
/usr/share/jboss-6.0.0.Final/server/default/conf/props
Open the jmx-console-users.properties file in text editor and change the password.
view plaincopy to clipboardprint?
# A sample users.properties file for use with the UsersRolesLoginModule
admin=MyPassword
# A sample users.properties file for use with the UsersRolesLoginModule admin=MyPassword
Step 2: Secure the JMX Console
To secure the JMX Console, go to:
/usr/share/jboss-6.0.0.Final/common/deploy/jmx-console.war/WEB-INF
First, edit the web.xml file. Towards the bottom, you will find the security-constraint as shown below:
view plaincopy to clipboardprint?
<!-- A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console.
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
-->
<!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console. <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> -->
Un-comment the security-constraint section so it appears thus:
view plaincopy to clipboardprint?
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint>
Next, still in the WEB-INF directory, edit the jboss-web.xml file, which will look as below:
view plaincopy to clipboardprint?
<!DOCTYPE jboss-web PUBLIC
"-//JBoss//DTD Web Application 5.0//EN"
<jboss-web>
<!-- Uncomment the security-domain to enable security. You will
need to edit the htmladaptor login configuration to setup the
login modules used to authentication users.
<security-domain>java:/jaas/jmx-console</security-domain>
-->
</jboss-web>
<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd"> <jboss-web> <!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users. <security-domain>java:/jaas/jmx-console</security-domain> --> </jboss-web>
Uncomment the security-domain so it appears thus:
<pre class="js" name="code"><!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd"> <jboss-web> <security-domain>java:/jaas/jmx-console</security-domain> </jboss-web>
At this point, the password for the JMX Console will be the same as the password we set for the Admin Console in step 8 above.
Both the Admin Console and JMX Console are are using the jmx-console-roles.properties and jmx-console-users.properties files.
Step 3: Secure the Web Service Console
To secure the Web Service Console, go to:
/usr/share/jboss-6.0.0.Final/common/deploy/jbossws-console.war/WEB-INF
First, edit the web.xml file. Towards the bottom, you will find the security-constraint as shown below:
view plaincopy to clipboardprint?
<!-- A security constraint that restricts access
<security-constraint>
<web-resource-collection>
<web-resource-name>ContextServlet</web-resource-name>
<description>An example security config that only allows users with the
role 'friend' to access the JBossWS console web application
</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>friend</role-name>
</auth-constraint>
</security-constraint>
-->
<!-- A security constraint that restricts access <security-constraint> <web-resource-collection> <web-resource-name>ContextServlet</web-resource-name> <description>An example security config that only allows users with the role 'friend' to access the JBossWS console web application </description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>friend</role-name> </auth-constraint> </security-constraint> -->
Un-comment the security-constraint section so it appears thus:
view plaincopy to clipboardprint?
<security-constraint>
<web-resource-collection>
<web-resource-name>ContextServlet</web-resource-name>
<description>An example security config that only allows users with the
role 'friend' to access the JBossWS console web application
</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>friend</role-name>
</auth-constraint>
</security-constraint>
<security-constraint> <web-resource-collection> <web-resource-name>ContextServlet</web-resource-name> <description>An example security config that only allows users with the role 'friend' to access the JBossWS console web application </description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>friend</role-name> </auth-constraint> </security-constraint>
Next, still in the WEB-INF directory, edit the jboss-web.xml file, which will look as below:
view plaincopy to clipboardprint?
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE jboss-web
PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"
<jboss-web>
<!-- A security domain that restricts access
<security-domain>java:/jaas/JBossWS</security-domain>
-->
<context-root>jbossws</context-root>
</jboss-web>
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd"> <jboss-web> <!-- A security domain that restricts access <security-domain>java:/jaas/JBossWS</security-domain> --> <context-root>jbossws</context-root> </jboss-web>
Uncomment the security-domain so it appears thus:
view plaincopy to clipboardprint?
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE jboss-web
PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"
<jboss-web>
<security-domain>java:/jaas/JBossWS</security-domain>
<context-root>jbossws</context-root>
</jboss-web>
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd"> <jboss-web> <security-domain>java:/jaas/JBossWS</security-domain> <context-root>jbossws</context-root> </jboss-web>
The default user name and password are kermit/thefrog
To change this, go to:
/usr/share/jboss-6.0.0.Final/server/default/conf/props
Open jbossws-roles.properties in a text editor it should appear as below.
view plaincopy to clipboardprint?
# A sample roles.properties file for use with the UsersRolesLoginModule
kermit=friend
# A sample roles.properties file for use with the UsersRolesLoginModule kermit=friend
Change 'kermit' to a new user name. For example, we'll change it to 'mywsuser' as shown below:
view plaincopy to clipboardprint?
# A sample roles.properties file for use with the UsersRolesLoginModule
mywsuser=friend
# A sample roles.properties file for use with the UsersRolesLoginModule mywsuser=friend
Open jbossws-users.properties in a text editor it should appear as below.
view plaincopy to clipboardprint?
# A sample users.properties file for use with the UsersRolesLoginModule
kermit=thefrog
# A sample users.properties file for use with the UsersRolesLoginModule kermit=thefrog
Change 'kermit' to our new user name 'mywsuser' and change the password. For example, we'll change the password to it to 'MyWsPassword' as shown below:
view plaincopy to clipboardprint?
# A sample users.properties file for use with the UsersRolesLoginModule
mywsuser=MyWsPassword
# A sample users.properties file for use with the UsersRolesLoginModule mywsuser=MyWsPassword
-
3. Re: jboss 6 Security
wlam Jul 20, 2012 12:07 PM (in response to nitinksks)Hi Nitin,
I follow your instruction #2 to change the admin password. Then, I use jboss_init_redhat.sh to stop and to start jboss. The new password is NOT working on the admin console; only the old one works. Any clue?
Thanks,
Will