0 Replies Latest reply on May 14, 2009 5:13 AM by praveen2609

    Securing JBoss jmx-console and web-console for JBoss 4.0

    praveen2609

      hi , please help me for securing jmx-console and web-console for jboss as i have tried the following thing,

      Out of the box jmx-console and the web console are accessable to anyone who can access your server via
      the following url: http://yourserver:8080/jmx-console. The good news is that both jmx-console and web-console
      are standard servlet so they can be protected easily by enabling the security-constraint. Our example
      uses the default server model.
      1. edit \server\default\deploy\jmx-console.war\WEB-INF\web.xml
      and uncomment the security-constraint
      <!-- A security constraint that restricts access to the HTML JMX console
      to users with the role JBossAdmin. Edit the roles to what you want and
      uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
      secured access to the HTML JMX console. -->

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>HtmlAdaptor</web-resource-name>
      An example security config that only allows users with the
      role JBossAdmin to access the HTML JMX console web application

      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>JBossAdmin</role-name>
      </auth-constraint>
      </security-constraint>


      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>JBoss JMX Console</realm-name>
      </login-config>

      <security-role>
      <role-name>JBossAdmin</role-name>
      </security-role>

      2. Edit \server\default\deploy\jmx-console.war\WEB-INF\jboss-web.xml. Uncomment the following block:
      <jboss-web>
      <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users.-->
      <security-domain>java:/jaas/jmx-console</security-domain>

      </jboss-web>

      3. Edit \server\default\conf\props\jmx-console-roles.properties

      4. Edit \server\default\conf\props\jmx-console-users.properties

      The only change above should be to jmx-console-users.properties, i.e, set a password.

      5. While you are in directory make copies of the two jmx-console properties files and call them web-console-roles.properties
      and web-console-users.prperties respectively.
      6. The property files for web-console currently exist under \server\default\deploy\management\console-mgr.sar\web-console.war\WEB-INF\classes.
      I would rename these files.
      7. edit \server\default\conf\login-config.xml

      <application-policy name = "web-console">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required">
      <module-option name="usersProperties">props/web-console-users.properties</module-option> <module-option name="rolesProperties">props/web-console-roles.properties</module-option> </login-module>

      </application-policy

      In the above you need to add the props/ because this is missing in the original file. If you do not do
      this the login procedure will look for the properties file under web-console.war\WEB-INF\classes and if you have not renamed the properties file there it will try and
      use those.
      Remember to bounce JBoss after you are done. Out of the box jmx-console and the web console are accessable to anyone who can access your server via
      the following url: http://yourserver:8080/jmx-console. The good news is that both jmx-console and web-console
      are standard servlet so they can be protected easily by enabling the security-constraint. Our example
      uses the default server model.
      1. edit \server\default\deploy\jmx-console.war\WEB-INF\web.xml
      and uncomment the security-constraint
      <!-- A security constraint that restricts access to the HTML JMX console
      to users with the role JBossAdmin. Edit the roles to what you want and
      uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
      secured access to the HTML JMX console. -->

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>HtmlAdaptor</web-resource-name>
      An example security config that only allows users with the
      role JBossAdmin to access the HTML JMX console web application

      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>JBossAdmin</role-name>
      </auth-constraint>
      </security-constraint>


      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>JBoss JMX Console</realm-name>
      </login-config>

      <security-role>
      <role-name>JBossAdmin</role-name>
      </security-role>

      2. Edit \server\default\deploy\jmx-console.war\WEB-INF\jboss-web.xml. Uncomment the following block:
      <jboss-web>
      <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users.-->
      <security-domain>java:/jaas/jmx-console</security-domain>

      </jboss-web>

      3. Edit \server\default\conf\props\jmx-console-roles.properties

      4. Edit \server\default\conf\props\jmx-console-users.properties

      The only change above should be to jmx-console-users.properties, i.e, set a password.

      5. While you are in directory make copies of the two jmx-console properties files and call them web-console-roles.properties
      and web-console-users.prperties respectively.
      6. The property files for web-console currently exist under \server\default\deploy\management\console-mgr.sar\web-console.war\WEB-INF\classes.
      I would rename these files.
      7. edit \server\default\conf\login-config.xml

      <application-policy name = "web-console">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required">
      <module-option name="usersProperties">props/web-console-users.properties</module-option> <module-option name="rolesProperties">props/web-console-roles.properties</module-option> </login-module>

      </application-policy

      In the above you need to add the props/ because this is missing in the original file. If you do not do
      this the login procedure will look for the properties file under web-console.war\WEB-INF\classes and if you have not renamed the properties file there it will try and
      use those.
      Remember to bounce JBoss after you are done.


      but still its not asking the prompt for the authentication after bouncing the jboss app server.


      Regards,
      Praveen