5 Replies Latest reply on Sep 2, 2010 12:58 PM by tguymon

    Securing the JBoss Console

    tguymon

      JBPAPP-3979 (unathenticated access to the JBoss AS web console) appears to have been fixed in JBoss EAP 4.2.0.CP09 and 4.3.0.CP08. I'm running JBoss AS 5.1 GA and am seeing unathenticaled access to the JBoss Console.

      • Is it possible that JBoss AS 5.1 GA does not include the fix? It seems to me that the that the block would have been included by default.
      • If the fix is included, but is not the default behavior, how can I configure JBoss to block unathenticated access to the JBoss console?
        • 1. Re: Securing the JBoss Console
          peterj

          Trey, welcome to the JBoss forums!

           

          There is a difference between EAP and AS - EAP is a commercial product available by subscription only, whereas AS is the community version. The commercial product (EAP) locks down the app server by default. If you were to obtain EAP 5 you would notice that the app server is locked down. The community version (AS) is not locked down. Thus, neither AS 4.2.x not 5.x is locked down. To lock down the community version, see: http://community.jboss.org/wiki/securetheJmxConsole

          • 2. Re: Securing the JBoss Console
            tguymon

            Thanks for the response. The referenced article had several redacted sections. I made some assumptions, but was unable to solve my problem. I believe that my jmx console authentication is configured correctly and tried to use the same security domain for the web console. The problem is that an HTTP PUT request to the web-console returned an unauthenticated 200 OK response. This was not the case for the jmx console.

             

            To secure the web console, I did the following:

            • In the deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
              • Verified the <security-constraint> block was uncommented.
              • Changed <realm-name> to jmx-console
            • In the deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml
              • Verified the <security-domain> was java:/jaas/jmx-console

             

            Any ideas?

            • 3. Re: Securing the JBoss Console
              peterj

              Yeah, just remove the whole server/xxx/deploy/management directory and its contents. I'm not sure why they even bother to ship the web console because it is an old product that has not been keep up to date nor changed/enhanced for a number of releases.

              • 4. Re: Securing the JBoss Console
                jaikiran

                Yeah, the web-console wasn't really being maintained. Starting 6.0.0.M2 (or was it M1), the web-console has now been removed from the AS distribution.

                1 of 1 people found this helpful
                • 5. Re: Securing the JBoss Console
                  tguymon

                  Thanks to all. We removed the management directory. That solved the issue with no ill effects.