1 2 Previous Next 27 Replies Latest reply on Sep 19, 2013 4:07 AM by omvinh

    Securing the JMX Console

    sun81

      Hi,

       

      I am working on securing the JMX console for JBOSS 4.2.1 and following the below article to make the necessary configuration changes:

       

      http://community.jboss.org/wiki/securetheJmxConsole

       

      But, even after doing the necessary steps and when I tried to login to the JMX console it is not working...I am getting the below error message int he Jboss server console:

       

      13:48:00,014 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
      java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
              at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
              at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
              at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
              at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)

       

      I did the below steps:

       

      1. {jboss.server.home.dir}/deploy/jmx-console.war/WEB-INF/web.xml : Uncommented the block :<security-constraint>
      and added <login-config> block like the one below:

      <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>jmx-console</realm-name>
         </login-config>

       

      2. Changed the username/password in the file :

      {jboss.server.home.dir}/conf/props/jmx-console-users.properties

       

      3. {jboss.server.home.dir}/conf/login-config.xml
      Changed the path to the web-console-users.properties and the web-console-roles.properties as follows (add props/ to the front of the path)

      Restarted my server and tried to login to JMX- Console, it is prompting for the user/pwd but when I give the right one it is giving the above error.

       

      Can some body please guide me through the steps.

       

      I have attached the files I have changed.

       

      Thanks,

      Bhanu.

        • 1. Re: Securing the JMX Console
          sun81

          I was able to make it work. Please follow the below steps:

           

          1. {jboss.server.home.dir}/deploy/jmx-console.war/WEB-INF/web.xml :

          Uncomment the block :<security-constraint>

          And add <login-config> block like the one below:

           

             <security-constraint>

               <web-resource-collection>

                 <web-resource-name>HtmlAdaptor</web-resource-name>

                 <description>An example security config that only allows users with the

                   role JBossAdmin to access the HTML JMX console web application

                 </description>

                 <url-pattern>/*</url-pattern>

                 <http-method>GET</http-method>

                 <http-method>POST</http-method>

               </web-resource-collection>

               <auth-constraint>

                 <role-name>JBossAdmin</role-name>

               </auth-constraint>

             </security-constraint>

           

             <login-config>

                <auth-method>BASIC</auth-method>

                <realm-name>jmx-console</realm-name>

             </login-config>

           

             <security-role>

                <role-name>JBossAdmin</role-name>

             </security-role>

           

          2. {jboss.server.home.dir}/deploy/jmx-console.war/WEB-INF/jboss-web.xml

          Uncomment the security-domain block:

          <security-domain>java:/jaas/jmx-console</security-domain>

           

          3. Change the username/password in the file :

           

          {jboss.server.home.dir}/conf/props/jmx-console-users.properties

          Eg: admin=admin (or give your own password)

           

          And the file {jboss.server.home.dir}/conf/props/jmx-console-roles.properties should have the below entry (the user mapped to the JBossAdmin role)

           

          admin=JBossAdmin,HttpInvoker

           

          4. {jboss.server.home.dir}/conf/login-config.xml

          Change the path to the web-console-users.properties and the web-console-roles.properties as follows (add props/ to the front of the path)

           

              <application-policy name = "jmx-console">

                 <authentication>

                    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"

                       flag = "required">

                     <module-option>props\jmx-console-users.properties</module-option>

                     <module-option>props\jmx-console-roles.properties</module-option>

                    </login-module>

                 </authentication>

              </application-policy>

          • 2. Securing the JMX Console
            edgarosy

            I know this post has been here for a while, but I do have a question about it since I recently started using Jboss 5 and noticed that the http://localhost:8080/jmx-console page is opened to everyone.

             

            I followed all of your steps and am able to get the login screen. Once I  input the user name & password I configured on the jmx-console-users.properties I don't get any errors on the page itself but instead it keeps redirecting me back to the login prompt even though I am typing the correct user name & password information.

             

            When I look at the server.log on the server itself I see these error messages. What did I do wrong and can any of you help me figure this out.

             

            ER [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Failed to load users/passwords/role files

                      java.io.IOException: No properties file: props/users.properties or defaults: defaultUsers.properties found

                      at org.jboss.security.auth.spi.Util.loadProperties(Util.java:198)

                      at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)

                      at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)

                      at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)

                      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

                      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

                      at java.lang.reflect.Method.invoke(Method.java:597)

                      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)

                      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)

                      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)

                      at java.security.AccessController.doPrivileged(Native Method)

                      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

                      at javax.security.auth.login.LoginContext.login(LoginContext.java:579)

                      at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)

                      at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)

                      at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)

                      at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)

                      at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)

                      at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)

                      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)

                      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)

                      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

                      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

                      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

                      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

                      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

                      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

                      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

                      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)

                      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)

                      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)

                      at java.lang.Thread.run(Thread.java:619)

             

             

            Thank you.

            • 3. Securing the JMX Console
              edgarosy

              Nevermind. I got it working.

               

              bah.

              • 4. Securing the JMX Console
                dmanyemwe

                Hi All,

                 

                I have followed the steps at http://community.jboss.org/wiki/SecureTheJmxConsole exactly but I am still not being prompted for a user name and password! Is there another configuration elsewhere in JBoss that overrides the application policy? Im using JBoss-5.1.0.GA. Thanks!

                 

                login-config.xml [jboss-5.1.0.GA/server/default/conf/login-config.xml]

                ...

                  <application-policy name="jmx-console">

                    <authentication>

                      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"

                        flag="required">

                        <module-option name="usersProperties">props/jmx-console-users.properties</module-option>

                        <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>

                      </login-module>

                    </authentication>

                  </application-policy>

                ...

                 

                jboss-web.xml [jboss-5.1.0.GA/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml]

                <jboss-web>

                      <security-domain>java:/jaas/jmx-console</security-domain>  

                </jboss-web>

                 

                Web.xml [jboss-5.1.0.GA/server/default/deploy/jmx-console.war/WEB-INF/web.xml]

                ...

                <security-constraint>

                     <web-resource-collection>

                       <web-resource-name>HtmlAdaptor</web-resource-name>

                       <description>An example security config that only allows users with the

                         role JBossAdmin to access the HTML JMX console web application

                       </description>

                       <url-pattern>/*</url-pattern>

                       <http-method>GET</http-method>

                       <http-method>POST</http-method>

                     </web-resource-collection>

                     <auth-constraint>

                       <role-name>JBossAdmin</role-name>

                     </auth-constraint>

                   </security-constraint>

                  

                 

                   <login-config>

                      <auth-method>BASIC</auth-method>

                      <realm-name>jmx-console</realm-name>

                   </login-config>

                 

                   <security-role>

                      <role-name>JBossAdmin</role-name>

                   </security-role>

                </web-app>

                 

                My users and roles properties files are fine since the login works for the admin-console (it uses java:/jaas/jmx-console as well).

                • 5. Securing the JMX Console
                  nickarls

                  Tried on a clean browser / after a server restart? If you share domains (e.g with the admin-console) it might remember your previous login?

                  • 6. Securing the JMX Console
                    dmanyemwe

                    Hi Nicklas,

                     

                    Thank you for the quick response. Yes, I have restarted the jboss service several times and have tried from a fresh install of Chrome, it always enters without prompting for credentials. I thought there may be another setting somewhere that overrides this? Note though that it does ask for the credentials when I log into the admin-console. Any ideas?

                    • 7. Securing the JMX Console
                      nickarls

                      Not really, I've only done it on AS 6 but I would think as long as the correct security related blocks were uncommented in both web.xml and jboss-web.xml, it should start working...

                      • 8. Securing the JMX Console
                        dmanyemwe

                        Ok, there must be some caching going on somewhere then, will try rebooting and deleting temp files. Thanks!

                        • 9. Securing the JMX Console
                          dmanyemwe

                          Still no luck, this is very strange. There must be another config somewhere thats blocking my auth.

                          • 10. Securing the JMX Console
                            nickarls

                            And you're sure you have edited the correct web.xml and jboss-web.xml files? What are the full paths to them?

                            • 11. Securing the JMX Console
                              dmanyemwe

                              I'm quite sure, the files edited are as below - full paths in [square brackets]:

                               

                              login-config.xml [jboss-5.1.0.GA/server/default/conf/login-config.xml]

                              ...

                                <application-policy name="jmx-console">

                                  <authentication>

                                    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"

                                      flag="required">

                                      <module-option name="usersProperties">props/jmx-console-users.properties</module-option>

                                      <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>

                                    </login-module>

                                  </authentication>

                                </application-policy>

                              ...

                               

                              jboss-web.xml [jboss-5.1.0.GA/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml]

                              <jboss-web>

                                    <security-domain>java:/jaas/jmx-console</security-domain>  

                              </jboss-web>

                               

                              Web.xml [jboss-5.1.0.GA/server/default/deploy/jmx-console.war/WEB-INF/web.xml]

                              ...

                              <security-constraint>

                                   <web-resource-collection>

                                     <web-resource-name>HtmlAdaptor</web-resource-name>

                                     <description>An example security config that only allows users with the

                                       role JBossAdmin to access the HTML JMX console web application

                                     </description>

                                     <url-pattern>/*</url-pattern>

                                     <http-method>GET</http-method>

                                     <http-method>POST</http-method>

                                   </web-resource-collection>

                                   <auth-constraint>

                                     <role-name>JBossAdmin</role-name>

                                   </auth-constraint>

                                 </security-constraint>

                                

                               

                                 <login-config>

                                    <auth-method>BASIC</auth-method>

                                    <realm-name>jmx-console</realm-name>

                                 </login-config>

                               

                                 <security-role>

                                    <role-name>JBossAdmin</role-name>

                                 </security-role>

                              </web-app>

                              • 12. Securing the JMX Console
                                edgarosy

                                What about the /jboss/server/instance/deploy/management/console-mgr.sar/web-console.war/WEB-INF web.xml and jboss-web.xml file. Did you comment out the security blocks there too?

                                • 13. Securing the JMX Console
                                  dmanyemwe

                                  I think those configs are for the web console, the security domain there is java:/jaas/web-console. But to answer your question, yes I did! The web-console actually has the same problem as the jmx-console, it is also not showing the credential dialog.

                                  • 14. Securing the JMX Console
                                    edgarosy

                                    Is your /opt/jboss/server/instance/conf/props  jmx-console-roles.properties & web-console-roles.properties configured like this:

                                     

                                    username=JBossAdmin,HttpInvoker (username = to whatever you place under the jmx-console-roles.properties)

                                     

                                    your jmx-console-users.properties & web-console-users.properties should be configured like this:

                                     

                                    username=domain

                                     

                                    I am new to Jboss, but I was also having a hard time getting this to work.

                                    1 2 Previous Next