3 Replies Latest reply on Jun 9, 2004 7:04 AM by marcma

How to secure the web-console (3.2.4)?

marcma Jun 8, 2004 7:49 AM

Hi.

The wiki docs for securing the jmx-console and the web-console are
fine for jboss-3.2.3.

For jboss-3.2.4 the part for securing the jmx-console works fine but
for the web-console it does not work.

What do I have to do to get the web-console secure?

I have followed the instructions and everthing is fine for the jmx-console.
But when accessing the web-console the BASIC popup prompts me to
enter username and password. The same username and password that works for the jmx-console does not give me access to the web-console.

In use:
jboss-3.2.4
java 1.4.2_03
WXP

Thanks for your help.
Cheers

1. Re: How to secure the web-console (3.2.4)?

marcma Jun 8, 2004 10:13 AM (in response to marcma)

Hi.

Ok, I have found out, that a request for

http://blablub:whatever/web-console

brings the UsersRolesLoginModule up the scene
(as configured in the login-config.xml)
and this guy is reading the users.properties and roles.properties from
the invoker.war instead of the ones from the web-console.war.

Why is that?

Requesting the jmx-console results in reading the jmx-console-users.properties and jmx-console-roles.properties from the jmx-console.war.

Request for web-console:

DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /web-console/
DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /index.html --> true
DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /index.html --> true
DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize
TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null
TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/production/ejbcontainer/jboss/jboss-3.2.4/jboss-3.2.4/server/all/deploy/http-invoker.sar/invoker.war/WEB-INF/classes/users.properties
TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null
TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/production/ejbcontainer/jboss/jboss-3.2.4/jboss-3.2.4/server/all/deploy/http-invoker.sar/invoker.war/WEB-INF/classes/roles.properties
TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login
DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=jboss
TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] abort
DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test

Request for jmx-console:

DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /jmx-console/
DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /index.jsp --> true
DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /index.jsp --> true
DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize
TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null
TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/production/ejbcontainer/jboss/jboss-3.2.4/jboss-3.2.4/server/all/deploy/jmx-console.war/WEB-INF/classes/jmx-console-users.properties
TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null
TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/production/ejbcontainer/jboss/jboss-3.2.4/jboss-3.2.4/server/all/deploy/jmx-console.war/WEB-INF/classes/jmx-console-roles.properties
TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login
TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] User 'jboss' authenticated, loginOk=true
TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=true
DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'jboss' with type 'BASIC'
DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
DEBUG [org.apache.catalina.realm.RealmBase] Checking roles jboss
DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints

2. Re: How to secure the web-console (3.2.4)?

starksm64 Jun 9, 2004 12:39 AM (in response to marcma)

http://www.jboss.org/wiki/Wiki.jsp?page=ClassLoadingConfiguration
Actions
3. Re: How to secure the web-console (3.2.4)?

marcma Jun 9, 2004 7:04 AM (in response to marcma)

Hi.

Ok. Thanks for the pointer.

Just changing the loader-repository-config from
the web-console to overwriting is not enough.

The console-mgr.sar has the same loeader-repository.
And here you have a loader-repository-config as well.
Both need to be changed.

Isn't this a bit dangerous? Let's say we have different wars all loaded to the same repository. All jboss-web.xml in the wars can specify diefferent loader-repositoy-configs. Which one is the one getting used?

Another opportunity to get the web-console secure is to change the login-config.xml (module /web-console) to use special users and roles properties files which are uniqu to the complete falt UCL.

Cheers
Actions

Go to original post