Securing JBoss Application Server

Securing JBoss Application Server v7.0

Please visit  Securing the Management Interfaces.

And also Hardening Guidelines - JBoss AS 7.2

Securing JBoss AS v6.x or v5.x

Premise

When you first download JBoss, it comes as an easy-to-install zip file.  Upon installation, you can easily deploy EJBs, web applications and a whole array of services.  However, you may be suprised how easy it is to compromise the services.  JBossSX can fix that by securing those functions.

These are the steps to secure the default download of JBoss:

• Secure the Jmx Console

• Secure a Web Application In JBoss

• Remove the Invokers or Secure the Invokers

• Remove or restrict RMI ClassLoading service

• Secure JBossMQ (Need to change to JBoss Messaging)

• Remove HSQLDB

• Using JBoss Behind A Firewall

• Set Up A Keystore or SSL Setup

• Limit Access to Certain Clients

• How to Run JBoss with a Java Security Manager

Related

http://sourceforge.net/docman/display_doc.php?docid=20143&group_id=22866

(DE) http://www.redteam-pentesting.de/publications/2009-06-03-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting.pdf

(EN) http://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf