Problems securing jmx-console
wilbury1 Apr 12, 2005 3:29 AMHi all outa there!
Following the documentation's steps on http://www.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole I tried to secure the jmx-console vainly. The console stays reachable for anyone. Even if I force a hot deployment by touching the application's web.xml while JBoss is running, the security configuration is activated.
1. I uncommented the security constraints in jmx-console.war/WEB-INF/web.xml:
------ cut out -------------------
<!-- uncommented pjs 20050405 -->
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JBoss JMX Console</realm-name>
</login-config>
<security-role>
<role-name>JBossAdmin</role-name>
</security-role>
<security-role>
<role-name>AuthUser</role-name>
</security-role>
------ end of cut out -----------------------------
2. I changed users and passwords in WEB-INF/classes/jmx-console-users.properties
------ cut out -------------------
# A sample users.properties file for use with the UsersRolesLoginModule
auth_user=pazzword
#admin=admin
#admin=adm
------ end of cut out -----------------------------
and I changed WEB-INF/classes/jmx-console-roles.properties:
------ cut out -------------------
# A sample roles.properties file for use with the UsersRolesLoginModule
#admin=JBossAdmin
auth_user=JBossAdmin
------ end of cut out -----------------------------
3. I edited WEB-INF/jboss-web.xml and uncommented the security-domain block
------ cut out -------------------
<jboss-web>
<!-- uncommented pjs 20050405 -->
<security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>
------ end of cut out -----------------------------
If I shutdown the server and start it up, the changes don't get active. They only work after a change at web.xml while JBoss is running. I'd like JBoss to secure the jmx-console even after a startup.
Does anybody see a mistake or have a solution?
Thanks in advance
Peter