0 Replies Latest reply: May 14, 2009 5:13 AM by praveen tallakokula RSS

Securing JBoss jmx-console and web-console for JBoss 4.0

praveen tallakokula Newbie

hi , please help me for securing jmx-console and web-console for jboss as i have tried the following thing,

Out of the box jmx-console and the web console are accessable to anyone who can access your server via
the following url: http://yourserver:8080/jmx-console. The good news is that both jmx-console and web-console
are standard servlet so they can be protected easily by enabling the security-constraint. Our example
uses the default server model.
1. edit \server\default\deploy\jmx-console.war\WEB-INF\web.xml
and uncomment the security-constraint
<!-- A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console. -->

<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application

<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>


<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JBoss JMX Console</realm-name>
</login-config>

<security-role>
<role-name>JBossAdmin</role-name>
</security-role>

2. Edit \server\default\deploy\jmx-console.war\WEB-INF\jboss-web.xml. Uncomment the following block:
<jboss-web>
<!-- Uncomment the security-domain to enable security. You will
need to edit the htmladaptor login configuration to setup the
login modules used to authentication users.-->
<security-domain>java:/jaas/jmx-console</security-domain>

</jboss-web>

3. Edit \server\default\conf\props\jmx-console-roles.properties

4. Edit \server\default\conf\props\jmx-console-users.properties

The only change above should be to jmx-console-users.properties, i.e, set a password.

5. While you are in directory make copies of the two jmx-console properties files and call them web-console-roles.properties
and web-console-users.prperties respectively.
6. The property files for web-console currently exist under \server\default\deploy\management\console-mgr.sar\web-console.war\WEB-INF\classes.
I would rename these files.
7. edit \server\default\conf\login-config.xml

<application-policy name = "web-console">

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">props/web-console-users.properties</module-option> <module-option name="rolesProperties">props/web-console-roles.properties</module-option> </login-module>

</application-policy

In the above you need to add the props/ because this is missing in the original file. If you do not do
this the login procedure will look for the properties file under web-console.war\WEB-INF\classes and if you have not renamed the properties file there it will try and
use those.
Remember to bounce JBoss after you are done. Out of the box jmx-console and the web console are accessable to anyone who can access your server via
the following url: http://yourserver:8080/jmx-console. The good news is that both jmx-console and web-console
are standard servlet so they can be protected easily by enabling the security-constraint. Our example
uses the default server model.
1. edit \server\default\deploy\jmx-console.war\WEB-INF\web.xml
and uncomment the security-constraint
<!-- A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console. -->

<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application

<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>


<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JBoss JMX Console</realm-name>
</login-config>

<security-role>
<role-name>JBossAdmin</role-name>
</security-role>

2. Edit \server\default\deploy\jmx-console.war\WEB-INF\jboss-web.xml. Uncomment the following block:
<jboss-web>
<!-- Uncomment the security-domain to enable security. You will
need to edit the htmladaptor login configuration to setup the
login modules used to authentication users.-->
<security-domain>java:/jaas/jmx-console</security-domain>

</jboss-web>

3. Edit \server\default\conf\props\jmx-console-roles.properties

4. Edit \server\default\conf\props\jmx-console-users.properties

The only change above should be to jmx-console-users.properties, i.e, set a password.

5. While you are in directory make copies of the two jmx-console properties files and call them web-console-roles.properties
and web-console-users.prperties respectively.
6. The property files for web-console currently exist under \server\default\deploy\management\console-mgr.sar\web-console.war\WEB-INF\classes.
I would rename these files.
7. edit \server\default\conf\login-config.xml

<application-policy name = "web-console">

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">props/web-console-users.properties</module-option> <module-option name="rolesProperties">props/web-console-roles.properties</module-option> </login-module>

</application-policy

In the above you need to add the props/ because this is missing in the original file. If you do not do
this the login procedure will look for the properties file under web-console.war\WEB-INF\classes and if you have not renamed the properties file there it will try and
use those.
Remember to bounce JBoss after you are done.


but still its not asking the prompt for the authentication after bouncing the jboss app server.


Regards,
Praveen