web-console authentification

raphael Aug 13, 2003 8:25 AM

Hi,

why is it that neither the web-console (nor the jmx-console) are
behind a username/password authentification and thus a JBoss
appserver is open for beeing managed (attacked) from outside
by default? Would'nt it be better to have it the other way around?

How can I secure the web-console? I did it for the jmx-console
but since the web-console comes in a single war file it's a little
bit more work (which I would have to do for a list of JBoss servers
in our environment). Is there an easier way than unpacking,
securing and repacking it?

Regards,
Raphael

1. Re: web-console authentification

juhalindfors Sep 2, 2003 3:31 AM (in response to raphael)

> why is it that neither the web-console (nor the
> jmx-console) are
> behind a username/password authentification and thus
> a JBoss
> appserver is open for beeing managed (attacked) from
> outside
> by default? Would'nt it be better to have it the
> other way around?

Yes.

>
> How can I secure the web-console? I did it for the
> jmx-console
> but since the web-console comes in a single war file
> it's a little
> bit more work (which I would have to do for a list of
> JBoss servers
> in our environment). Is there an easier way than
> unpacking,
> securing and repacking it?

No. Plus you need to secure the applet separately from the servlets. Sacha was hacking this a while back but I don't know if he ever came to an adequate solution.

-- juha
Actions
2. Re: web-console authentification

gregorypierce Nov 17, 2003 12:31 PM (in response to raphael)

Anyone come up with a solution for this? It would be odd for a "production ready" JBoss application server to be remotely exploitable just by installing it.
Actions
3. Re: web-console authentification

juha Nov 19, 2003 4:24 AM (in response to raphael)

?

All distros are open in several ways, if you don't want the web-console, just remove the WAR.

-- Juha
Actions

Go to original post