13 Replies Latest reply on Apr 3, 2011 12:29 AM by vgarmash

    How to secure the JMX Console?

      Hi,

      I have doubt about securing JMX-Console.

      I know that we have to make changes in
      jboss-web.xml in deploy/jmx-console.war
      and in web.xml
      have to uncomment the code :)

      Is there any where else changes need to done?

      Regards,
      Sachin Parnami

        • 1. Re: How to secure the JMX Console?
          peterj
          • 2. Re: How to secure the JMX Console?

            Hi Peter,

            Thanks for your reply :)

            • 3. Re: How to secure the JMX Console?

              One more doubt :)

              its working fine

              now i have entered wrong password i guess 3 time

              now its not allowing me to get access to it, it says


              type Status report

              message Access to the requested resource has been denied

              description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.



              even when i restart my server.

              how to resolve this?

              Regards,
              Sachin Parnami

              • 4. Re: How to secure the JMX Console?
                peterj

                There is no "lockout after x failed log in attempts" within jbossas, at least not for the default login module for jmx console. I just now tried it and after after 10 failed attempts I can still log in.

                What are all of the configuration changes you made?

                • 5. Re: How to secure the JMX Console?

                  Hi Peter,

                  Here are the changes done by me in

                  default/conf/props/jmx-console-users.properties

                  # A sample users.properties file for use with the UsersRolesLoginModule
                  master=Sachin



                  default/conf/props/jmx-console-roles.properties
                  # A sample roles.properties file for use with the UsersRolesLoginModule
                  admin=JBossAdmin,HttpInvoker
                  


                  default/deploy/jmx-console.war/WEB-INF/jboss-web.xml
                  <jboss-web>
                   <!-- Uncomment the security-domain to enable security. You will
                   need to edit the htmladaptor login configuration to setup the
                   login modules used to authentication users.
                   -->
                   <security-domain>java:/jaas/jmx-console</security-domain>
                  
                  </jboss-web>
                  


                  default/deploy/jmx-console.war/WEB-INF/web.xml
                   <!-- A security constraint that restricts access to the HTML JMX console
                   to users with the role JBossAdmin. Edit the roles to what you want and
                   uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
                   secured access to the HTML JMX console.-->
                   <security-constraint>
                   <web-resource-collection>
                   <web-resource-name>HtmlAdaptor</web-resource-name>
                   <description>An example security config that only allows users with the
                   role JBossAdmin to access the HTML JMX console web application
                   </description>
                   <url-pattern>/*</url-pattern>
                   <http-method>GET</http-method>
                   <http-method>POST</http-method>
                   </web-resource-collection>
                   <auth-constraint>
                   <role-name>JBossAdmin</role-name>
                   </auth-constraint>
                   </security-constraint>
                  
                  
                  


                  I am using jboss-4.2.2.GA :)

                  Regards,
                  Sachin Parnami

                  • 6. Re: How to secure the JMX Console?
                    jaikiran

                     

                    now its not allowing me to get access to it


                    Which browser do you use? Can you try it with some other browser? Maybe some caching might be coming into picture.


                    • 7. Re: How to secure the JMX Console?

                      I tried with Mozila and FC9's Epiphany web browser :)

                      • 8. Re: How to secure the JMX Console?
                        jaikiran

                        And you see the same behaviour? Do these browsers allow you to enter the user/password atleast once? If yes, then how many retries do they allow? And finally, try enabling the TRACE level logs of jboss security package and see if those provide some clues. Enabling TRACE level logs is explained in Q4 at http://www.jboss.org/community/docs/DOC-12198

                        • 9. Re: How to secure the JMX Console?

                          have you tried setting

                          default/conf/props/jmx-console-users.properties

                          # A sample users.properties file for use with the UsersRolesLoginModule
                          master=Sachin
                          


                          may be because of master name it creates that problem?

                          • 10. Re: How to secure the JMX Console?
                            jaikiran

                            I should have seen this earlier:

                            default/conf/props/jmx-console-users.properties

                            # A sample users.properties file for use with the UsersRolesLoginModule
                            master=Sachin
                            


                            default/conf/props/jmx-console-roles.properties

                            # A sample roles.properties file for use with the UsersRolesLoginModule
                            admin=JBossAdmin,HttpInvoker
                            



                            The users.properties contains username and password. The roles.properties contains username and roles.

                            So in your case, you have a user named master (in users.properties) but haven't assigned any roles to this user in the roles.properties. So in your roles.properties, you can add:

                            master=JBossAdmin,HttpInvoker


                            Restart the server for the changes to take effect.


                            • 11. Re: How to secure the JMX Console?

                              Hi thanks got it solved thanks again ;)

                              • 12. Re: How to secure the JMX Console?
                                vgarmash

                                This is default behaviour of BASIC Authentication - after 3 wrong passwords it shows this error. If you restart your browser you can start trying again.

                                • 13. Re: How to secure the JMX Console?
                                  vgarmash

                                  for those who find this topic by search:

                                   

                                  There is a community courtesy notification for a severe security issue affecting some of the JBoss projects and products. Default security settings in web.xml protect only GET and POST protocols leaving another ones open. Please refer to the following Red Hat KBase article for more information:

                                   

                                  JBoss Products & CVE-2010-0738

                                   

                                  Only when you apply the solution you can be sure that your JMX Console is protected.

                                  Please note that Web Console has the same issue, and you need to apply the solution to it as well.

                                   

                                  Also it is recommended to hash passwords in the config files. Read about how to do it in JBoss Getting Started guide.