7 Replies Latest reply on Dec 20, 2004 4:06 PM by wiley173

Please help with ZEN of Jboss for dedicated newbie/student

wiley173 Dec 17, 2004 11:33 PM

Hello sir/madam,

I'm getting there with my default install of jboss 3.2.6 . So far my posts have gone unasnwered and this has actually helped me figure out for myself the problems therefore making me stronger in knowledge but I cannot seem to figure one thing now and have hit a brick wall.

I've secured the jmx-console, web-console and have disabled the hypersonic database, although it looks like it was already somewhat disabled ( I changed the default login, password )

I've been using tomcat for years as a "program" developer for years, never as a system admin or linux user. I've finally decided to flush my MS down the toilet anyway, I cannot seem to figure out how to on /mysite:8080 how to disable the tomcat status link. I feel this would be a security issue? Am I wrong? I noticed lots of tutorials on securing the jmx-console and web-console which I have done but the tomcat status is worrying me and I would really appreciate someone to help me secure this area.

Thank you
-B Wiley

1. Re: Please help with ZEN of Jboss for dedicated newbie/stude

starksm64 Dec 18, 2004 10:12 AM (in response to wiley173)

Remove the jbossweb-tomcat50.sar/ROOT.war or secure it.
Actions
2. Re: Please help with ZEN of Jboss for dedicated newbie/stude

wiley173 Dec 19, 2004 5:40 PM (in response to wiley173)

I can't remove the .sar because I'm using tomcat. How do I secure it? Where do I begin to find information on securing this..... I've been on google for hours "secure status servlet" "status secure jboss"??? Do I have to secure it myself from scratch? Or is there something already there to help like in the case of the jmx-console and web-console?

How about a clue?
Actions
3. Re: Please help with ZEN of Jboss for dedicated newbie/stude

starksm64 Dec 19, 2004 6:26 PM (in response to wiley173)

Wake up and reread my last post and you will see that removal of the sar was not suggested. Removal of the ROOT.war in the jbossweb-tomcat50.sar was.
Actions
4. Re: Please help with ZEN of Jboss for dedicated newbie/stude

wiley173 Dec 19, 2004 6:53 PM (in response to wiley173)

Why don't you wake up and read my last post.

"Where do I begin to find information on securing this..... I've been on google for hours "secure status servlet" "status secure jboss"??? Do I have to secure it myself from scratch? Or is there something already there to help like in the case of the jmx-console and web-console?"

I can't remove the ROOT.war in my situation. I'm so sorry to disturb you oh mighty one
Actions
5. Re: Please help with ZEN of Jboss for dedicated newbie/stude

blackers Dec 19, 2004 8:31 PM (in response to wiley173)

Read the sticky post in the security forum on how to use JAAS to secure web applications.

And lose the attitude!!
Actions
6. Re: Please help with ZEN of Jboss for dedicated newbie/stude

wiley173 Dec 19, 2004 9:19 PM (in response to wiley173)

Yeah, I read that.
Merry Christmas and thanks so much for the help
Actions
7. securing the tomcat status servlet

wiley173 Dec 20, 2004 4:06 PM (in response to wiley173)

Just in case any other newbie wants to know. I commented out tomcat status in the html of the default page and renamed the status servlet in the web.xml of the ROOT.war to something only I know. I couldn't delete the ROOT.war becuase I want to use it and I couldn't secure it because I basically wanted to do things like http://localhost/myjsp.jsp . If that makes sense.

Happy New Year , I feel very Zen now
Actions

Go to original post