3 Replies Latest reply on Jul 20, 2012 12:07 PM by wlam

    jboss 6 Security

    nitinksks

      Hi..

       

      How to do security configuration in jboss 6.

       

       

      Thanks.

        • 1. Re: jboss 6 Security
          alesj
          • 2. Re: jboss 6 Security
            nitinksks

            I am providing here some console security steps..

            If any body knows some more security configuration step that is usefull in Jboss 6.

            Please reply me I requierd it argent basis..

             

             

             

            Step 1: Change the JBoss Admin Password

             

             

            To change the default Admin Console password, go to:

             

            /usr/share/jboss-6.0.0.Final/server/default/conf/props

             

            Open the jmx-console-users.properties file in text editor and change the password.

            view plaincopy to clipboardprint?

            1. # A sample users.properties file for use with the UsersRolesLoginModule   

            2. admin=MyPassword 

            # A sample users.properties file for use with the UsersRolesLoginModule
            admin=MyPassword

             

             

             

            Step 2: Secure the JMX Console

             

             

            To secure the JMX Console, go to:

             

            /usr/share/jboss-6.0.0.Final/common/deploy/jmx-console.war/WEB-INF

             

            First, edit the web.xml file. Towards the bottom, you will find the security-constraint as shown below:

            view plaincopy to clipboardprint?

            1. <!-- A security constraint that restricts access to the HTML JMX console   

            2.    to users with the role JBossAdmin. Edit the roles to what you want and   

            3.    uncomment the WEB-INF/jboss-web.xml/security-domain element to enable   

            4.    secured access to the HTML JMX console.   

            5.    <security-constraint>   

            6.      <web-resource-collection>   

            7.        <web-resource-name>HtmlAdaptor</web-resource-name>   

            8.        <description>An example security config that only allows users with the   

            9.          role JBossAdmin to access the HTML JMX console web application   

            10.        </description>   

            11.        <url-pattern>/*</url-pattern>   

            12.      </web-resource-collection>   

            13.      <auth-constraint>   

            14.        <role-name>JBossAdmin</role-name>   

            15.      </auth-constraint>   

            16.    </security-constraint>   

            17.    --> 

            <!-- A security constraint that restricts access to the HTML JMX console
               to users with the role JBossAdmin. Edit the roles to what you want and
               uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
               secured access to the HTML JMX console.
               <security-constraint>
                 <web-resource-collection>
                   <web-resource-name>HtmlAdaptor</web-resource-name>
                   <description>An example security config that only allows users with the
                     role JBossAdmin to access the HTML JMX console web application
                   </description>
                   <url-pattern>/*</url-pattern>
                 </web-resource-collection>
                 <auth-constraint>
                   <role-name>JBossAdmin</role-name>
                 </auth-constraint>
               </security-constraint>
               -->

             

             

            Un-comment the security-constraint section so it appears thus:

            view plaincopy to clipboardprint?

            1. <security-constraint>   

            2.      <web-resource-collection>   

            3.        <web-resource-name>HtmlAdaptor</web-resource-name>   

            4.        <description>An example security config that only allows users with the   

            5.          role JBossAdmin to access the HTML JMX console web application   

            6.        </description>   

            7.        <url-pattern>/*</url-pattern>   

            8.      </web-resource-collection>   

            9.      <auth-constraint>   

            10.        <role-name>JBossAdmin</role-name>   

            11.      </auth-constraint>   

            12.    </security-constraint> 

            <security-constraint>
                 <web-resource-collection>
                   <web-resource-name>HtmlAdaptor</web-resource-name>
                   <description>An example security config that only allows users with the
                     role JBossAdmin to access the HTML JMX console web application
                   </description>
                   <url-pattern>/*</url-pattern>
                 </web-resource-collection>
                 <auth-constraint>
                   <role-name>JBossAdmin</role-name>
                 </auth-constraint>
               </security-constraint>

             

             

            Next, still in the WEB-INF directory, edit the jboss-web.xml file, which will look as below:

            view plaincopy to clipboardprint?

            1. <!DOCTYPE jboss-web PUBLIC   

            2.    "-//JBoss//DTD Web Application 5.0//EN"  

            3.    "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">   

            4.       

            5. <jboss-web>   

            6.    <!-- Uncomment the security-domain to enable security. You will   

            7.       need to edit the htmladaptor login configuration to setup the   

            8.       login modules used to authentication users.   

            9.       <security-domain>java:/jaas/jmx-console</security-domain>   

            10.    -->   

            11. </jboss-web> 

            <!DOCTYPE jboss-web PUBLIC
               "-//JBoss//DTD Web Application 5.0//EN"
               "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
               
            <jboss-web>
               <!-- Uncomment the security-domain to enable security. You will
                  need to edit the htmladaptor login configuration to setup the
                  login modules used to authentication users.
                  <security-domain>java:/jaas/jmx-console</security-domain>
               -->
            </jboss-web>

             

             

            Uncomment the security-domain so it appears thus:

             

            <pre class="js" name="code"><!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd"> <jboss-web> <security-domain>java:/jaas/jmx-console</security-domain> </jboss-web>

             

             

            At this point, the password for the JMX Console will be the same as the password we set for the Admin Console in step 8 above.

             

            Both the Admin Console and JMX Console are are using the jmx-console-roles.properties and jmx-console-users.properties files.

            Step 3: Secure the Web Service Console

             

             

            To secure the Web Service Console, go to:

             

            /usr/share/jboss-6.0.0.Final/common/deploy/jbossws-console.war/WEB-INF

             

            First, edit the web.xml file. Towards the bottom, you will find the security-constraint as shown below:

            view plaincopy to clipboardprint?

            1. <!-- A security constraint that restricts access   

            2.    <security-constraint>   

            3.      <web-resource-collection>   

            4.        <web-resource-name>ContextServlet</web-resource-name>   

            5.        <description>An example security config that only allows users with the   

            6.          role 'friend' to access the JBossWS console web application   

            7.        </description>   

            8.        <url-pattern>/*</url-pattern>   

            9.      </web-resource-collection>   

            10.      <auth-constraint>   

            11.        <role-name>friend</role-name>   

            12.      </auth-constraint>   

            13.    </security-constraint>   

            14.    --> 

            <!-- A security constraint that restricts access
               <security-constraint>
                 <web-resource-collection>
                   <web-resource-name>ContextServlet</web-resource-name>
                   <description>An example security config that only allows users with the
                     role 'friend' to access the JBossWS console web application
                   </description>
                   <url-pattern>/*</url-pattern>
                 </web-resource-collection>
                 <auth-constraint>
                   <role-name>friend</role-name>
                 </auth-constraint>
               </security-constraint>
               -->

             

             

            Un-comment the security-constraint section so it appears thus:

            view plaincopy to clipboardprint?

            1. <security-constraint>   

            2.      <web-resource-collection>   

            3.        <web-resource-name>ContextServlet</web-resource-name>   

            4.        <description>An example security config that only allows users with the   

            5.          role 'friend' to access the JBossWS console web application   

            6.        </description>   

            7.        <url-pattern>/*</url-pattern>   

            8.      </web-resource-collection>   

            9.      <auth-constraint>   

            10.        <role-name>friend</role-name>   

            11.      </auth-constraint>   

            12.    </security-constraint> 

            <security-constraint>
                 <web-resource-collection>
                   <web-resource-name>ContextServlet</web-resource-name>
                   <description>An example security config that only allows users with the
                     role 'friend' to access the JBossWS console web application
                   </description>
                   <url-pattern>/*</url-pattern>
                 </web-resource-collection>
                 <auth-constraint>
                   <role-name>friend</role-name>
                 </auth-constraint>
               </security-constraint>

             

             

            Next, still in the WEB-INF directory, edit the jboss-web.xml file, which will look as below:

            view plaincopy to clipboardprint?

            1. <?xml version="1.0" encoding="ISO-8859-1"?>   

            2.   

            3. <!DOCTYPE jboss-web   

            4.     PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"  

            5.     "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">   

            6.   

            7. <jboss-web>   

            8.   

            9.   <!-- A security domain that restricts access   

            10.   <security-domain>java:/jaas/JBossWS</security-domain>   

            11.   -->   

            12.      

            13.   <context-root>jbossws</context-root>   

            14.   

            15. </jboss-web> 

            <?xml version="1.0" encoding="ISO-8859-1"?>
            
            <!DOCTYPE jboss-web
                PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"
                "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">
            
            <jboss-web>
            
              <!-- A security domain that restricts access
              <security-domain>java:/jaas/JBossWS</security-domain>
              -->
              
              <context-root>jbossws</context-root>
            
            </jboss-web>

             

             

            Uncomment the security-domain so it appears thus:

            view plaincopy to clipboardprint?

            1. <?xml version="1.0" encoding="ISO-8859-1"?>   

            2.   

            3. <!DOCTYPE jboss-web   

            4.     PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"  

            5.     "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">   

            6.   

            7. <jboss-web>   

            8.   

            9.     

            10.   <security-domain>java:/jaas/JBossWS</security-domain>   

            11.     

            12.      

            13.   <context-root>jbossws</context-root>   

            14.   

            15. </jboss-web> 

            <?xml version="1.0" encoding="ISO-8859-1"?>
            
            <!DOCTYPE jboss-web
                PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"
                "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">
            
            <jboss-web>
            
             
              <security-domain>java:/jaas/JBossWS</security-domain>
             
              
              <context-root>jbossws</context-root>
            
            </jboss-web>

             

             

            The default user name and password are kermit/thefrog

             

            To change this, go to:

             

            /usr/share/jboss-6.0.0.Final/server/default/conf/props

             

            Open jbossws-roles.properties in a text editor it should appear as below.

            view plaincopy to clipboardprint?

            1. # A sample roles.properties file for use with the UsersRolesLoginModule   

            2. kermit=friend 

            # A sample roles.properties file for use with the UsersRolesLoginModule
            kermit=friend

             

             

            Change 'kermit' to a new user name. For example, we'll change it to 'mywsuser' as shown below:

            view plaincopy to clipboardprint?

            1. # A sample roles.properties file for use with the UsersRolesLoginModule   

            2. mywsuser=friend 

            # A sample roles.properties file for use with the UsersRolesLoginModule
            mywsuser=friend

             

             

            Open jbossws-users.properties in a text editor it should appear as below.

            view plaincopy to clipboardprint?

            1. # A sample users.properties file for use with the UsersRolesLoginModule   

            2. kermit=thefrog 

            # A sample users.properties file for use with the UsersRolesLoginModule
            kermit=thefrog

             

             

            Change 'kermit' to our new user name 'mywsuser' and change the password. For example, we'll change the password to it to 'MyWsPassword' as shown below:

            view plaincopy to clipboardprint?

            1. # A sample users.properties file for use with the UsersRolesLoginModule   

            2. mywsuser=MyWsPassword 

            # A sample users.properties file for use with the UsersRolesLoginModule
            mywsuser=MyWsPassword

             

             

             

            • 3. Re: jboss 6 Security
              wlam

              Hi Nitin,

               

              I follow your instruction #2 to change the admin password. Then, I use jboss_init_redhat.sh to stop and to start jboss. The new password is NOT working on the admin console; only the old one works.  Any clue?

               

              Thanks,

               

              Will