-
1. Re: Securing the JBoss Console
peterj Aug 30, 2010 6:43 PM (in response to tguymon)Trey, welcome to the JBoss forums!
There is a difference between EAP and AS - EAP is a commercial product available by subscription only, whereas AS is the community version. The commercial product (EAP) locks down the app server by default. If you were to obtain EAP 5 you would notice that the app server is locked down. The community version (AS) is not locked down. Thus, neither AS 4.2.x not 5.x is locked down. To lock down the community version, see: http://community.jboss.org/wiki/securetheJmxConsole
-
2. Re: Securing the JBoss Console
tguymon Aug 31, 2010 5:54 PM (in response to peterj)Thanks for the response. The referenced article had several redacted sections. I made some assumptions, but was unable to solve my problem. I believe that my jmx console authentication is configured correctly and tried to use the same security domain for the web console. The problem is that an HTTP PUT request to the web-console returned an unauthenticated 200 OK response. This was not the case for the jmx console.
To secure the web console, I did the following:
- In the deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
- Verified the <security-constraint> block was uncommented.
- Changed <realm-name> to jmx-console
- Verified the <security-constraint> block was uncommented.
- In the deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml
- Verified the <security-domain> was java:/jaas/jmx-console
- Verified the <security-domain> was java:/jaas/jmx-console
Any ideas?
- In the deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
-
3. Re: Securing the JBoss Console
peterj Aug 31, 2010 7:12 PM (in response to tguymon)Yeah, just remove the whole server/xxx/deploy/management directory and its contents. I'm not sure why they even bother to ship the web console because it is an old product that has not been keep up to date nor changed/enhanced for a number of releases.
-
4. Re: Securing the JBoss Console
jaikiran Sep 1, 2010 2:14 AM (in response to peterj)1 of 1 people found this helpfulYeah, the web-console wasn't really being maintained. Starting 6.0.0.M2 (or was it M1), the web-console has now been removed from the AS distribution.
-
5. Re: Securing the JBoss Console
tguymon Sep 2, 2010 12:58 PM (in response to jaikiran)Thanks to all. We removed the management directory. That solved the issue with no ill effects.