4 Replies Latest reply on Oct 16, 2004 3:46 PM by starksm64

JMX-Console Security in Jboss 4.0

cam156 Oct 12, 2004 8:21 AM

Hello,

I have been trying to activate the security for the JMX console in Jboss 4.0.

Unfortunately when I uncomment out the security in the jboss-web.xml and web.xml the system seems to still be pointing at the other realm instaed of the jmx-console realm.

Any ideas why this would have stopped working in 4.0? What other files beside the two xml files need to be modified now?

Thanks!

-- Carolyn

1. Re: JMX-Console Security in Jboss 4.0

b2bw35 Oct 12, 2004 9:16 AM (in response to cam156)

I upgraded to 4.0.0 and the JMX console security works fine after uncommenting the jboss-web.xml and web.xml files. I would check them again to make sure the changes were saved or you didn't uncomment everything needed.
Actions

2. Re: JMX-Console Security in Jboss 4.0

cam156 Oct 12, 2004 9:24 AM (in response to cam156)

Here are the two files. Please let me know if you see something wrong.

Just to note, if you got an error saying that you were missing the roles.properties file and user.properties file you are actually using the default "other" realm instead of the jmx-console realm. The other realm works just fine, but it is not what should be configured.

Thanks for your help!

web.xml:

<?xml version="1.0"?>
<!DOCTYPE web-app PUBLIC
 "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>
 <description>The standard web descriptor for the html adaptor</description>
 <servlet>
 <servlet-name>HtmlAdaptor</servlet-name>
 <servlet-class>org.jboss.jmx.adaptor.html.HtmlAdaptorServlet</servlet-class>
 </servlet>
 <servlet>
 <servlet-name>ClusteredConsoleServlet</servlet-name>
 <servlet-class>org.jboss.jmx.adaptor.html.ClusteredConsoleServlet</servlet-class>
 <init-param>
 <param-name>jgProps</param-name>
 <param-value>UDP(ip_mcast=true;ip_ttl=16;loopback=false;mcast_addr=228.1.2.3;mcast_port=45566):
org.jboss.jmx.adaptor.control.FindView
 </param-value>
 <description>The JGroups protocol stack config</description>
 </init-param>
 </servlet>
 <servlet>
 <servlet-name>DisplayMBeans</servlet-name>
 <jsp-file>/displayMBeans.jsp</jsp-file>
 </servlet>
 <servlet>
 <servlet-name>InspectMBean</servlet-name>
 <jsp-file>/inspectMBean.jsp</jsp-file>
 </servlet>
 <servlet>
 <servlet-name>DisplayOpResult</servlet-name>
 <jsp-file>/displayOpResult.jsp</jsp-file>
 </servlet>
 <servlet>
 <servlet-name>ClusterView</servlet-name>
 <jsp-file>/cluster/clusterView.jsp</jsp-file>
 </servlet>

 <servlet-mapping>
 <servlet-name>HtmlAdaptor</servlet-name>
 <url-pattern>/HtmlAdaptor</url-pattern>
 </servlet-mapping>
 <servlet-mapping>
 <servlet-name>ClusteredConsoleServlet</servlet-name>
 <url-pattern>/cluster/ClusteredConsole</url-pattern>
 </servlet-mapping>
 <servlet-mapping>
 <servlet-name>DisplayMBeans</servlet-name>
 <url-pattern>/DisplayMBeans</url-pattern>
 </servlet-mapping>
 <servlet-mapping>
 <servlet-name>InspectMBean</servlet-name>
 <url-pattern>/InspectMBean</url-pattern>
 </servlet-mapping>
 <servlet-mapping>
 <servlet-name>DisplayOpResult</servlet-name>
 <url-pattern>/DisplayOpResult</url-pattern>
 </servlet-mapping>

 <!-- A security constraint that restricts access to the HTML JMX console
 to users with the role JBossAdmin. Edit the roles to what you want and
 uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
 secured access to the HTML JMX console.-->
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>HtmlAdaptor</web-resource-name>
 <description>An example security config that only allows users with the
 role JBossAdmin to access the HTML JMX console web application
 </description>
 <url-pattern>/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>JBossAdmin</role-name>
 </auth-constraint>
 </security-constraint>

 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>JBoss JMX Console</realm-name>
 </login-config>

 <security-role>
 <role-name>JBossAdmin</role-name>
 </security-role>
</web-app>

jboss-web.xml:

<jboss-web>
 <!-- Uncomment the security-domain to enable security. You will
 need to edit the htmladaptor login configuration to setup the
 login modules used to authentication users. -->
 <security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>

3. Re: JMX-Console Security in Jboss 4.0

cam156 Oct 15, 2004 8:06 AM (in response to cam156)
Hello,

I found the solution to my problem myself. There really needs to be some documentation on 4.0.

I found that the standard server will run the security correctly.

The reason for this is that in the jbossweb-tomcat50.sar/server.xml file in the standard version has the following entry in the engine:

 <Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm" certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" />

If you are planning to use the default configuration and security make sure you add the above to the engine.

-- Carolyn
Actions
4. Re: JMX-Console Security in Jboss 4.0

starksm64 Oct 16, 2004 3:46 PM (in response to cam156)

Both the standard and default configurations have the JBossSecurityMgrRealm defined in the jbossweb-tomcat50.sar/server.xml. The only way your default config does not have this is if you removed it.
Actions

Go to original post