-
1. Re: How to secure the web-console (3.2.4)?
marcma Jun 8, 2004 10:13 AM (in response to marcma)Hi.
Ok, I have found out, that a request for
http://blablub:whatever/web-console
brings the UsersRolesLoginModule up the scene
(as configured in the login-config.xml)
and this guy is reading the users.properties and roles.properties from
the invoker.war instead of the ones from the web-console.war.
Why is that?
Requesting the jmx-console results in reading the jmx-console-users.properties and jmx-console-roles.properties from the jmx-console.war.
Request for web-console:DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /web-console/ DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /index.html --> true DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /index.html --> true DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission() DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate() TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/production/ejbcontainer/jboss/jboss-3.2.4/jboss-3.2.4/server/all/deploy/http-invoker.sar/invoker.war/WEB-INF/classes/users.properties TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/production/ejbcontainer/jboss/jboss-3.2.4/jboss-3.2.4/server/all/deploy/http-invoker.sar/invoker.war/WEB-INF/classes/roles.properties TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=jboss TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] abort DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
Request for jmx-console:DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /jmx-console/ DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /index.jsp --> true DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /index.jsp --> true DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission() DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate() TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/production/ejbcontainer/jboss/jboss-3.2.4/jboss-3.2.4/server/all/deploy/jmx-console.war/WEB-INF/classes/jmx-console-users.properties TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/production/ejbcontainer/jboss/jboss-3.2.4/jboss-3.2.4/server/all/deploy/jmx-console.war/WEB-INF/classes/jmx-console-roles.properties TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] User 'jboss' authenticated, loginOk=true TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=true DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'jboss' with type 'BASIC' DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl() DEBUG [org.apache.catalina.realm.RealmBase] Checking roles jboss DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
-
3. Re: How to secure the web-console (3.2.4)?
marcma Jun 9, 2004 7:04 AM (in response to marcma)Hi.
Ok. Thanks for the pointer.
Just changing the loader-repository-config from
the web-console to overwriting is not enough.
The console-mgr.sar has the same loeader-repository.
And here you have a loader-repository-config as well.
Both need to be changed.
Isn't this a bit dangerous? Let's say we have different wars all loaded to the same repository. All jboss-web.xml in the wars can specify diefferent loader-repositoy-configs. Which one is the one getting used?
Another opportunity to get the web-console secure is to change the login-config.xml (module /web-console) to use special users and roles properties files which are uniqu to the complete falt UCL.
Cheers