1 Reply Latest reply: Sep 15, 2011 2:14 PM by Joel Rabinovitch RSS

Securing JMX and JBoss WS Consoles

Joel Rabinovitch Newbie

Hi,

 

We are migrating our application from JBoss 4.2.2 to JBoss 6.1. As part of the installation, we secured the JMX and JBoss WS consoles.

 

With JBoss 4.2.2, we uncommented the security constraint for the JMX Console in the web.xml file as shown below:

 

   <!-- A security constraint that restricts access to the HTML JMX console

   to users with the role JBossAdmin. Edit the roles to what you want and

   uncomment the WEB-INF/jboss-web.xml/security-domain element to enable

   secured access to the HTML JMX console.

   -->

   <security-constraint>

     <web-resource-collection>

       <web-resource-name>HtmlAdaptor</web-resource-name>

       <description>An example security config that only allows users with the

         role JBossAdmin to access the HTML JMX console web application

       </description>

       <url-pattern>/*</url-pattern>

     </web-resource-collection>

     <auth-constraint>

       <role-name>JBossAdmin</role-name>

     </auth-constraint>

   </security-constraint>

 

For secure (HTTPS) installations we would change it as follows:

 

   <security-constraint>

     <web-resource-collection>

       <web-resource-name>HtmlAdaptor</web-resource-name>

       <description>An example security config that only allows users with the

         role JBossAdmin to access the HTML JMX console web application

       </description>

       <url-pattern>/*</url-pattern>

     </web-resource-collection>

     <auth-constraint>

       <role-name>JBossAdmin</role-name>

     </auth-constraint>

     <user-data-constraint>

        <transport-guarantee>CONFIDENTIAL</transport-guarantee>

     </user-data-constraint>

   </security-constraint>

 

The web.xml file of the JBoss WS console was adjusted similarly.

 

The issue now is with JBoss 6.1 the JMX and web consoles have been moved to common deployment area, as specified here:

 

http://community.jboss.org/wiki/On-DemandDeploymentOfWebApplications

 

The question is how do I allow some profiles (environments) defined underneath the JBoss 6.1 server directory to access the JMX console using HTTP, and others using HTTPS. We need to do this when a JBoss 6.1 is used for both secure and non-secure profiles.

 

Thanks,

 

Joel

  • 1. Re: Securing JMX and JBoss WS Consoles
    Joel Rabinovitch Newbie

    Hi,

     

    I figured out my own problem:

     

    To resolve this I did the following:

     

    I copied the admin-console.war, jmx-console.war, and jbossws-console.war folders from the common/deploy directory to the <profile>/deploy (e.g. default/deploy) directory.

     

    I modified the following files:

     

    deploy/admin-console-activator-jboss-beans.xml

    deploy/jmx-console-activator-jboss-beans.xml

    deploy/jbossws-console-activator-jboss-beans.xml

     

    to change the following property from:

     

    <property name="deploymentRoot">${jboss.common.base.url}deploy</property>

     

    to:

     

    <property name="deploymentRoot">${jboss.server.home.url}deploy</property>

     

    Based on the information in the following page:

     

    http://community.jboss.org/wiki/JBossProperties

     

    Although it adds some time to the start up of the environment, it allows you to customize these consoles for a given profile.

     

    Hope this helps,

     

    Joel