How to run the testsuite against the secured EAP distribution
1. Download the Application Platform zip distribution from the JBoss Customer Service Portal.
2. Download the Application Platform source distribution from the JBoss Customer Service Portal.
The source distribution contains the source files for the testsuite.
3. Unzip the Application Platform
4. The JBoss Application Platform distribution is shipped with certain security measures in place by default.
These security measures need to be disabled in order to run the JBoss Application Platform testsuite successfully against the EAP distribution.
This can be done by following the detailed disabling security instruction below or by building the JBoss Application Platform binary distribution from source using the property -Dbuild.unsecure=true:
cd jboss-eap/jboss-as ./build.sh -Dbuild.unsecure=true
5. Unzip the source distribution.
6. Build the JBoss EAP binary distribution from source (using the flag -Dbuild.unsecure=true, see 4.)
cd jboss-eap-src/jboss-as/build ./build.sh -Dbuild.unsecure=true
7. Build/Run the testsuite
cd jboss-eap-src/jboss-as/testsuite ./build.sh tests -Dnode0=$MYTESTIP_1 -Dnode1=$MYTESTIP_2
If you need to run the testsuite against a JBoss EAP distribution other than the one built in step 6 (which resides in jboss-eap-src/jboss-as/build/output/
. For example,
cd jboss-eap-src/jboss-as/testsuite ./build.sh tests -Dnode0=$MYTESTIP_1 -Dnode1=$MYTESTIP_2 -Djboss.dist=<my JBoss EAP distribution>
The testsuite will then test against that distribution.
Before running the testsuite increase ant memory (set ANT_OPTS=-Xmx512m) to aid report generation at the end of the testsuite run.
jboss.dist property specifies the Application Platform distribution to run the testsuite against. In this case it would be the distribution from Step 1.
node0 and node1 are test ip's to use with the clustering tests. If not specified the tests use localhost and HOSTNAME
The test reports are available in testsuite/output/reports.
Additional information can be found in the HowToRunTheTestsuite wiki.
What security is in place in the EAP distribution?
The EAP distribution secures the following components of the JBoss AS:
the JMX console, a basic web-based interface used to view and modify the MBean based services of the JBoss AS
the Web console, a more advanced web-based interface used to view and modify the MBean based services of the JBoss AS
the JMX Detatched Invoker service, an RMI based interface to the JMX core functionality of the JBoss AS
the HTTP Invoker, which supports making JMX calls over HTTP
These components are secured in order to disallow unauthorised access to the services of the JBoss AS via JMX. The JBoss AS testsuite requires that such security mechanisms are disabled.
IMPORTANT NOTE: These security mechanisms need to be disabled for both server configurations used by the AS testsuite: the "default" configuration, and the "all" configuration. They do not need to be disabled for the "production" nor the "minimal" server configurations.
The following sections describe how to disable these security mechamisms for the purposes of running the AS testsuite.
Disabling security for the JMX console
The JMX console is defined by the web application jmx-console.war in the directory server/<config>/deploy, where <config> represents the server configuration in question (i.e. default, or all). In order to disable authentication and authorization for the JMX console, two files within the directory server/<config>/deploy/jmx-console.war need to be modified:
1. WEB-INF/web.xml
Disable the security constraint which requires all users of the JMX console URLs and HTTP methods to authenticate themselves and to have the role JBossAdmin by commenting out the section, as shown below:
<!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console. <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> -->
2. WEB-INF/jboss-web.xml
Disable the corresponding security domain used for the authentication and authorization above by commenting out the section, as shown below:
<jboss-web> <!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users. <security-domain>java:/jaas/jmx-console</security-domain> --> </jboss-web>
Disabling security for the Web Console
The Web console is defined by the web application web-console.war in the directory server/<config>/deploy/management/console-mgr.sar, where <config> represents the server configuration in question (i.e. default, or all). In order to disable authentication and authorization for the Web console, two files within the directory server/<config>/deploy/management/console-mgr.sar/web-console.war need to be modified:
1. WEB-INF/web.xml
Disable the security constraint which requires all users of the Web console URLs and HTTP methods to authenticate themselves and to have the role JBossAdmin by commenting out the section, as shown below:
<!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console. <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> -->
2. WEB-INF/jboss-web.xml
Disable the corresponding security domain used for the authentication and authorization above by commenting out the section, as shown below:
<jboss-web> <!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users. <security-domain>java:/jaas/web-console</security-domain> --> <!-- The war depends on the --> <depends>jboss.admin:service=PluginManager</depends> </jboss-web>
Disabling security for the JMX Detached Invoker service
The JMX Detached Invoker MBean is defined in the file server/
represents the server configuration in question (i.e. default, or all).
The JMX Detached Invoker provides the service that handles RMIAdaptor invocations by routing them to the MBeanServer the service is deployed under.
In the secured version of the JBoss AS, there is an authentication interceptor on the invoke() method of the MBean. In order to disable authorization and authentication, the following file needs to be modified:
1. jmx-invoker-service.xml
Disable the authentication interceptor by commenting out (as shown below) the following lines in the definition of the InvokerAdaptorService MBean:
<interceptors> <!-- Uncomment to require authenticated users <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/jmx-console"></interceptor> --> <!-- Interceptor that deals with non-serializable results --> <interceptor code="org.jboss.jmx.connector.invoker.SerializableInterceptor" policyClass="StripModelMBeanInfoPolicy"></interceptor> </interceptors>
Disabling security for the HTTP Invoker servlets
The HTTP Invoker is defined by the web application invoker.war in the directory server/default/deploy/http-invoker.sar, for the "default" configuration (and server/all/deploy/httpha-invoker.sar, for the "all" configuration).
This web archive contains servlets JNDIFactoryServlet, JMXInvokerServlet, and EJBInvokerServlet, which are used to permit JNDI lookups, JMX invovations, and EJB home interface lookups over HTTP.
In order to disable authentication and authorization for the HTTP Invoker servlets, one file within the directory server/default/deploy/http-invoker.sar/invoker.war (and server/all/deploy/httpha-invoker.sar, for the "all" configuration) needs to be modified:
1. WEB-INF/web.xml
The secured version of this web application contains the following security constraint:
<!-- An example security constraint that restricts access to the HTTP invoker to users with the role HttpInvoker Edit the roles to what you want and configure the WEB-INF/jboss-web.xml/security-domain element to reference the security domain you want. --> <security-constraint> <web-resource-collection> <web-resource-name>HttpInvokers</web-resource-name> <description>An example security config that only allows users with the role HttpInvoker to access the HTTP invoker servlets </description> <url-pattern>/restricted/*</url-pattern> <url-pattern>/JNDIFactory/*</url-pattern> <url-pattern>/EJBInvokerServlet/*</url-pattern> <url-pattern>/JMXInvokerServlet/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>HttpInvoker</role-name> </auth-constraint> </security-constraint>
To remove authentication and authorization to the servlets JNDIFactory, JMXInvokerServlet and EJBInvokerServlet, remove or comment out the lines:
<url-pattern>/JNDIFactory/*</url-pattern> <url-pattern>/EJBInvokerServlet/*</url-pattern> <url-pattern>/JMXInvokerServlet/*</url-pattern>
from the security constraint definition above.
Enabling a sample username/password for use with the UsersRolesLoginModule
Uncomment the The username and password stored in server/
represents the server configuration in question (i.e. default, or all).
# A sample users.properties file for use with the UsersRolesLoginModule admin=admin
Comments