8 Replies Latest reply on Aug 27, 2003 3:59 PM by docjava_seattle

    STEPS to protect the jmx-console with passwd

    cronos

      Steps to protect jmx-console:

      1) Change user and password in:

      {INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/classes/ users.properties
      {INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/classes/ roles.properties

      2) Go to file:

      {INSTALL_DIR_JBOSS}/server/default/conf/login-config.xml

      comment th following:

      <application-policy name = "jmx-console">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>-->

      and replace this section (bottom) :

      <application-policy name = "other">
      .....
      .....
      </application-policy>

      for this one:

      <application-policy name = "other">

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
      <module-option name="usersProperties">users.properties</module-option>
      <module-option name="rolesProperties">roles.properties</module-option>
      </login-module>



      </application-policy>

      3) Go to file:

      {INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/jboss- web.xml

      and uncomment the line:

      <security-domain>java:/jaas/jmx-console</security-domain>

      4) Finish. If you try to enter to the jmx-console a password will be required.

        • 1. Re: STEPS to protect the jmx-console with passwd
          gelrad

          1. What is the format of the files users.properties and roles.properties

          2. Do you need to restart jboss to have affects?

          3. Why just not add :
          <module-option name="usersProperties">users.properties</module-option>
          <module-option name="rolesProperties">roles.properties</module-option>

          to the jmx-console login-module?

          Yaron

          • 2. Re: STEPS to protect the jmx-console with passwd
            jannunzi

            Hi, I followed your steps faithfully and jmx-console did not ask for a username/password. I rebooted the server, and even the machine but no change, jmx-console still shows its output. Might it be caching something?

            I was a bit vague on editing the .resources files. The original read something like

            admin=DontRemember

            and I changed it to:

            admin.username=jose
            admin.password=password

            is this right? what is the syntax/purpose/consequence of this file?

            the rest of the steps were very explicit so I think I got those right.

            ...thank you...

            Jose

            • 3. Re: STEPS to protect the jmx-console with passwd
              jannunzi

              I found the syntax for the these users.properties and roles.properties files in the QuickStart-30x.pdf, but I still could not get it to work. It seems that the syntax for the username.properties file (the username-to-password mapping file) is:

              username1=password1
              username2=password2
              ...

              and for the roles.properties file (the username-to-role mapping file) is:

              username1=role1,role2,...

              followed by optional groups:

              username1.RoleGroup1=role3,role4,...

              so my users.properties file now reads:

              # A sample users.properties file ...
              admin=admin
              jose=password

              and my roles.properties file now reads:

              # A sample roles.properties file ...
              admin=JBossAdmin
              jose=JBossAdmin

              but I still cant get it to work. Help !!!

              ...thanks...

              J

              • 4. Re: STEPS to protect the jmx-console with passwd
                sbhat

                Hi,

                Did any one find the solution for this? My jmx-console still starts without needing any authentication.

                Thanks

                • 5. Re: STEPS to protect the jmx-console with passwd
                  gmilza

                  I have made these steps for protecting jmx-console:

                  1) Change user and password in:

                  {INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/classes/ users.properties
                  {INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/classes/ roles.properties

                  roles.properties should be okay, just change the already present entry in users.properties, like this:
                  admin=some_password

                  2) Go to file:

                  {INSTALL_DIR_JBOSS}/server/default/conf/login-config.xml

                  and change this:
                  <application-policy name = "jmx-console">

                  <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                  flag = "required" />

                  </application-policy>

                  with this:

                  <application-policy name = "jmx-console">

                  <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                  flag = "required">
                  <module-option name="usersProperties">WEB-INF/classes/users.properties</module-option>
                  <module-option name="rolesProperties">WEB-INF/classes/roles.properties</module-option>
                  </login-module>

                  </application-policy>

                  Note: the path of the two properties files are relative to
                  {INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war
                  Is not necessary to touch "other" (i think is not correct to touch this entry)

                  3) Go to file:

                  {INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/jboss- web.xml

                  and uncomment the line:

                  <security-domain>java:/jaas/jmx-console</security-domain>

                  4) Go to file:

                  {INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/ web.xml

                  and uncomment the section:

                  <security-constraint>
                  <web-resource-collection>
                  <web-resource-name>HtmlAdaptor</web-resource-name>
                  An example security config that only allows users with the
                  role JBossAdmin to access the HTML JMX console web application

                  <url-pattern>/*</url-pattern>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
                  </web-resource-collection>
                  <auth-constraint>
                  <role-name>JBossAdmin</role-name>
                  </auth-constraint>
                  </security-constraint>

                  Note that the tag <role-name> must match the role in roles.properties .

                  4) Relaunch jboss.This time it should ask user/pass.

                  • 6. Re: STEPS to protect the jmx-console with passwd
                    mpls2000

                    Hi gmilza,

                    I followed your instruction and I managed to see the login prompt when I access http://localhost:8080/jmx-console.

                    However, I always get this error
                    HTTP ERROR: 401 Unauthorized
                    RequestURI=/jmx-console

                    Not matter what userID and password I entered. My roles.properties and users.properties only have this line :
                    admin=admin

                    But I could not login. Do you have any clue? Please help.
                    Thanks

                    • 7. Re: STEPS to protect the jmx-console with passwd
                      mpls2000

                      Ooops my mistake. Problem solve. Stupid mistake. Sorry.

                      • 8. Re: STEPS to protect the jmx-console with passwd
                        docjava_seattle

                        Why not just remove server/default/deploy/jmx-console.war if we don't
                        intend to use the console in production?