-
15. Securing the JMX Console
dlofthouse Feb 4, 2011 10:00 AM (in response to dmanyemwe)Are you definately running the default configuration? If you check under server/default/log are you seeing the server.log and boot.log updated recently?
-
16. Securing the JMX Console
edgarosy Feb 4, 2011 10:03 AM (in response to dlofthouse)Yes. I can see both being updated today.
-
17. Securing the JMX Console
dmanyemwe Feb 4, 2011 10:03 AM (in response to edgarosy)Yes, it is configured that way. I have done this before and it worked fine on AS 6.0.0 but its been giving me trouble since yesterday on AS 5.1.0! I know the .properties files are fine because if I log in using the admin-console (which also uses the jmx-console security domain), the username and password combination it accepts is the one I have in my properties file. It is supposed to be straight forward!
-
18. Securing the JMX Console
dmanyemwe Feb 4, 2011 10:04 AM (in response to dlofthouse)Definitely, if i rename my jmx-console.war i see it being undeployed in my log file (I am tailing it)
-
19. Securing the JMX Console
dlofthouse Feb 4, 2011 10:05 AM (in response to edgarosy)edgarosy wrote:
Yes. I can see both being updated today.
That question was to Daniel as it is his configuration not being picked up
-
20. Securing the JMX Console
dlofthouse Feb 4, 2011 10:07 AM (in response to dlofthouse)Ok, in that case have you ever entered a valid username and password into a pop up window in your web browser? For BASIC authentication it is quite common for the browser to cache the credentials and automatically present them to the server without further prompts.
If you have one available maybe try a connection from a machine / browser that has not been used to connect to the JMX console previously.
-
21. Re: Securing the JMX Console
dmanyemwe Feb 4, 2011 10:17 AM (in response to dlofthouse)That was my thinking as well, so I downloaded Chrome and tried with it, same thing, direct access!
Just tried from a non-dev machine, same thing, so it definitely isnt caching. I even rebooted the server, didnt work.
-
22. Securing the JMX Console
sheital Mar 28, 2011 11:34 PM (in response to dmanyemwe)Even I am facing same issue, made changes in the web.xml, jboss-web.xml,login-config and the user.properties file. Still the popup to login for jmx-console does not appear. The jmx-console simply comes without the popup.
Daniel Manyemwe wrote:
That was my thinking as well, so I downloaded Chrome and tried with it, same thing, direct access!
Just tried from a non-dev machine, same thing, so it definitely isnt caching. I even rebooted the server, didnt work.
Were you able to find a solution for it?I have made the following changes.C:\Program Files\jboss-5.1.0.GA\server\default\deploy\jmx-console.war\WEB-INF\web.xml
<!-- A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console.-->
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JBoss JMX Console</realm-name>
</login-config><security-role>
<role-name>JBossAdmin</role-name>
</security-role>
</web-app>C:\Program Files\jboss-5.1.0.GA\server\default\deploy\jmx-console.war\WEB-INF\jboss-web.xml
<jboss-web>
<!-- Uncomment the security-domain to enable security. You will
need to edit the htmladaptor login configuration to setup the
login modules used to authentication users. -->
<security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>
C:\Program Files\jboss-5.1.0.GA\server\default\conf\login-config.xml
<!-- A template configuration for the jmx-console web application. This
defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name="jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag="required">
<module-option name="usersProperties">props/jmx-console-users.properties</module-option>
<module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
-
23. Securing the JMX Console
dmanyemwe Mar 29, 2011 3:26 AM (in response to sheital)Hi Henna,
Unfortunately I have not solved this problem, but the more secure alternative is to just undeploy the jmx-console. You can move the whole jmx-console.war directory out of /deploy, and should you need it again you can move it in.. not the best solution but given my time constraints thats the best I could come up with!
Good luck.
-
24. Securing the JMX Console
sheital Mar 29, 2011 4:46 AM (in response to dmanyemwe)Daniel,
I am able to make it work by making same changes in the files present under JBoss folder present in my code and not under server directory.
Thanks for the suggestion.
-
25. Securing the JMX Console
vgarmash Apr 3, 2011 12:52 AM (in response to sun81)for those who find this topic by search:
There is a community courtesy notification for a severe security issue affecting some of the JBoss projects and products. Default security settings in web.xml protect only GET and POST protocols leaving another ones open. Please refer to the following Red Hat KBase article for more information:
JBoss Products & CVE-2010-0738
Only when you apply the solution you can be sure that your JMX Console is protected.
Please note that Web Console has the same issue, and you need to apply the solution to it as well.
Also it is recommended to hash passwords in the config files. Read about how to do it in JBoss Getting Started guide.
-
-
27. Re: Securing the JMX Console
omvinh Sep 19, 2013 4:07 AM (in response to sun81)I was somehow having the same problem. I made it work as follow:
edit default/deploy/jbossweb.sar/server.xml
I found there is missing:
<Realm className="org.jboss.web.tomcat.security.JBossWebRealm" certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" allRolesMode="authOnly" /> between "<Engine name="jboss.web" defaultHost="localhost">" and "<Host name="localhost">"
I am not sure why this is missing. The latest version of Jboss 5.1.0.GA is OK. Maybe, some version before missed it.