-
-
2. Re: How to secure the JMX Console?
sachin.parnami Oct 23, 2008 11:39 PM (in response to sachin.parnami)Hi Peter,
Thanks for your reply :) -
3. Re: How to secure the JMX Console?
sachin.parnami Oct 24, 2008 12:01 AM (in response to sachin.parnami)One more doubt :)
its working fine
now i have entered wrong password i guess 3 time
now its not allowing me to get access to it, it says
type Status report
message Access to the requested resource has been denied
description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
even when i restart my server.
how to resolve this?
Regards,
Sachin Parnami -
4. Re: How to secure the JMX Console?
peterj Oct 24, 2008 2:33 PM (in response to sachin.parnami)There is no "lockout after x failed log in attempts" within jbossas, at least not for the default login module for jmx console. I just now tried it and after after 10 failed attempts I can still log in.
What are all of the configuration changes you made? -
5. Re: How to secure the JMX Console?
sachin.parnami Oct 24, 2008 11:17 PM (in response to sachin.parnami)Hi Peter,
Here are the changes done by me in
default/conf/props/jmx-console-users.properties# A sample users.properties file for use with the UsersRolesLoginModule master=Sachin
default/conf/props/jmx-console-roles.properties# A sample roles.properties file for use with the UsersRolesLoginModule admin=JBossAdmin,HttpInvoker
default/deploy/jmx-console.war/WEB-INF/jboss-web.xml<jboss-web> <!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users. --> <security-domain>java:/jaas/jmx-console</security-domain> </jboss-web>
default/deploy/jmx-console.war/WEB-INF/web.xml<!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console.--> <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint>
I am using jboss-4.2.2.GA :)
Regards,
Sachin Parnami -
6. Re: How to secure the JMX Console?
jaikiran Oct 25, 2008 4:17 AM (in response to sachin.parnami)now its not allowing me to get access to it
Which browser do you use? Can you try it with some other browser? Maybe some caching might be coming into picture. -
7. Re: How to secure the JMX Console?
sachin.parnami Oct 25, 2008 5:37 AM (in response to sachin.parnami)I tried with Mozila and FC9's Epiphany web browser :)
-
8. Re: How to secure the JMX Console?
jaikiran Oct 25, 2008 5:44 AM (in response to sachin.parnami)And you see the same behaviour? Do these browsers allow you to enter the user/password atleast once? If yes, then how many retries do they allow? And finally, try enabling the TRACE level logs of jboss security package and see if those provide some clues. Enabling TRACE level logs is explained in Q4 at http://www.jboss.org/community/docs/DOC-12198
-
9. Re: How to secure the JMX Console?
sachin.parnami Oct 25, 2008 6:13 AM (in response to sachin.parnami)have you tried setting
default/conf/props/jmx-console-users.properties# A sample users.properties file for use with the UsersRolesLoginModule master=Sachin
may be because of master name it creates that problem? -
10. Re: How to secure the JMX Console?
jaikiran Oct 25, 2008 6:18 AM (in response to sachin.parnami)I should have seen this earlier:
default/conf/props/jmx-console-users.properties
# A sample users.properties file for use with the UsersRolesLoginModule master=Sachin
default/conf/props/jmx-console-roles.properties# A sample roles.properties file for use with the UsersRolesLoginModule admin=JBossAdmin,HttpInvoker
The users.properties contains username and password. The roles.properties contains username and roles.
So in your case, you have a user named master (in users.properties) but haven't assigned any roles to this user in the roles.properties. So in your roles.properties, you can add:master=JBossAdmin,HttpInvoker
Restart the server for the changes to take effect. -
11. Re: How to secure the JMX Console?
sachin.parnami Oct 29, 2008 9:59 AM (in response to sachin.parnami)Hi thanks got it solved thanks again ;)
-
12. Re: How to secure the JMX Console?
vgarmash Apr 3, 2011 12:25 AM (in response to sachin.parnami)This is default behaviour of BASIC Authentication - after 3 wrong passwords it shows this error. If you restart your browser you can start trying again.
-
13. Re: How to secure the JMX Console?
vgarmash Apr 3, 2011 12:29 AM (in response to sachin.parnami)for those who find this topic by search:
There is a community courtesy notification for a severe security issue affecting some of the JBoss projects and products. Default security settings in web.xml protect only GET and POST protocols leaving another ones open. Please refer to the following Red Hat KBase article for more information:
JBoss Products & CVE-2010-0738
Only when you apply the solution you can be sure that your JMX Console is protected.
Please note that Web Console has the same issue, and you need to apply the solution to it as well.
Also it is recommended to hash passwords in the config files. Read about how to do it in JBoss Getting Started guide.