4 Replies Latest reply on Sep 26, 2012 1:06 PM by b.eckenfels

    JBoss AS 7.1.0.Beta1 is secured by default - what does it mean?

    dlofthouse

      For more information on the out of the box security settings of JBoss AS 7.1.0.Beta1 please see the following article: -

       

      AS 7.1.0 Beta1 - Security Enabled By Default

        • 1. Re: JBoss AS 7.1.0.Beta1 is secured by default - what does it mean?
          markboletti

          Hello,

          just one question: how would you pass credentials to a CLI that is executed as a script ? for example:

          ------script.cli-------------------------------------

          connect 192.100.100.1 root password

          -------------------------------------------------------

          jboss-admin.bat --file=script.cli

           

          This seems not to work...(unexpected chars root password)

          Thanks

          Mark

          • 3. Re: JBoss AS 7.1.0.Beta1 is secured by default - what does it mean?
            alitokmen

            I am delighted to see that at least some JBoss components are now secured by default. This has been the case for all JBoss EAP versions, and it is very good to see that JBoss Community Edition also has done a step towards security in the same direction.

             

            On the other hand, after some trials, I have figured out that not all JBoss services are secured. Two examples I can think of right now:

             

            • The remote org.jboss.as.controller.client.helpers.standalone.ServerDeploymentManager still works without specifying any password (at least, that's what I've seen when I've tried it out with JBoss 7.1.0 Beta 1b).
            • The jboss-admin.sh does not require any password.

             

            Are these also going to be reviewed at some point in time?

            • 4. Re: JBoss AS 7.1.0.Beta1 is secured by default - what does it mean?
              b.eckenfels

              Savas Ali Tokmen wrote:

              • The jboss-admin.sh does not require any password.

               

               

              Savas (this is a lata answer, but I am just curious if somebody can fill the blanks in the following answer):

               

              jboss-cli.sh (formerly jboss-admin.sh) seems to magically use a $local user if it is executed with the OS owner of the AS installation. This somehow makes sense if you consider the fact that the OS user with read/write access to the JBoss files can modify anything anyway. However I am not entirely sure how JBoss is checking that it is actually a $local user (it might set up random credentials and allow them to reader). Anyway, you can remove the $local user and have it specified on connect.

               

              Bernd