I have made these steps for protecting jmx-console:
1) Change user and password in:
{INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/classes/ users.properties
{INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/classes/ roles.properties
roles.properties should be okay, just change the already present entry in users.properties, like this:
admin=some_password
2) Go to file:
{INSTALL_DIR_JBOSS}/server/default/conf/login-config.xml
and change this:
<application-policy name = "jmx-console">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</application-policy>
with this:
<application-policy name = "jmx-console">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">WEB-INF/classes/users.properties</module-option>
<module-option name="rolesProperties">WEB-INF/classes/roles.properties</module-option>
</login-module>
</application-policy>
Note: the path of the two properties files are relative to
{INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war
Is not necessary to touch "other" (i think is not correct to touch this entry)
3) Go to file:
{INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/jboss- web.xml
and uncomment the line:
<security-domain>java:/jaas/jmx-console</security-domain>
4) Go to file:
{INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/ web.xml
and uncomment the section:
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
Note that the tag <role-name> must match the role in roles.properties .
4) Relaunch jboss.This time it should ask user/pass.
