10 Replies Latest reply on May 30, 2013 6:52 AM by dlofthouse

How to change/disable HTTP interface default security page

td121136 May 30, 2013 4:21 AM

Hi, when i try to access the web admin console through URL "http://localhost:9990/console" without any management user created yet, it will showed the welcome page which request user to create the user. But for my case, i don't want the user see such an informative page, because it will be a risk such as the user will know what server is running in the background and it version, is there anyway to disabled this redirect? Or is there other way to let me configure it point to another page, such as my application main page? Appreciate help from anyone.

1. Re: How to change/disable HTTP interface default security page

jaikiran May 30, 2013 5:36 AM (in response to td121136)

By default, that port isn't available to the outside world since it's only bound to the "management" interface which is expected to be exposed to only (typically internal) admin users/network:

<interfaces>
        <interface name="management">
            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
        </interface>
        ...
    </interfaces>
    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
        <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>

2. Re: How to change/disable HTTP interface default security page

td121136 May 30, 2013 5:40 AM (in response to jaikiran)

Hi jaikiran, thanks for your response, But my question is not related to the port, I just want to find a way to change the welcome page response by JBoss AS when there is no mangament user created yet. Such as if no management user found, then redirect to my application main page. However till now i can't find a easy way to do that.
Actions
3. Re: How to change/disable HTTP interface default security page

dlofthouse May 30, 2013 5:42 AM (in response to td121136)

No that page can not be modified, if you have a requirement to run a server with no users defined I would suggest you just disable the HTTP interface as without users it is redundant.
Actions
4. Re: How to change/disable HTTP interface default security page

td121136 May 30, 2013 5:48 AM (in response to dlofthouse)

Hi Darran, i would like to have management users to access the wed management page, but just that I want to restrict no one shall see the default page before the user creation done.
Actions
5. Re: How to change/disable HTTP interface default security page

jaikiran May 30, 2013 5:55 AM (in response to td121136)

Hmm, so you are the super admin who doesn't fully trust/know his admins and you don't want them to see that page till you have created the first admin user, after which they will be presented the login prompt? I'm just trying to understand your use case.
Actions
6. Re: How to change/disable HTTP interface default security page

dlofthouse May 30, 2013 6:00 AM (in response to td121136)

To stop the page from being displayed you will need to either add one user or disable the interface. One possibility could be to add a dummy user to the properties file, that way the AS will detect the user defintion and not display the page but that user will also not be used for authentication.

Maybe if you could explain a little more about the environment you are trying to run in. The part I am not sure about is why getting at least one user added before you start the server is not possible?
Actions
7. Re: How to change/disable HTTP interface default security page

td121136 May 30, 2013 6:03 AM (in response to jaikiran)

What i'm concerned about is the web admin page can be access by anyone if they know the URL, so in case they saw the welcome page then they will know what is running in the background.
Actions
8. Re: How to change/disable HTTP interface default security page

dlofthouse May 30, 2013 6:05 AM (in response to td121136)

But why do you need to be running a server with no users?

The HTTP interface is either going to be used on your installation in which case you must define users, or it is not going to be used in which case it can be completely disabled.

The part I do not unserstand is why you need this middle ground of having an unused interface running.
Actions
9. Re: How to change/disable HTTP interface default security page

td121136 May 30, 2013 6:31 AM (in response to dlofthouse)

Sorry to confuse you. Let imagine I'm just doing installation and startup server for the customer, and the customer will create the mangement user themselves due to security issue (they don't want to share the username and password)
Actions
10. Re: How to change/disable HTTP interface default security page

dlofthouse May 30, 2013 6:52 AM (in response to td121136)

I am assuming then that these users are going to connect directly to the server to execute the add-user utility.

What I would suggest then is that you install the server with the HTTP interface disables and then after they have connected and added the user you provide a second script something like 'enable-admin-console.sh' that calls the cli to enable the management interface. If you are disabling the local authentication mechanism as mentioned in your other thread this would also be an opportunity for them to test the username and password they have just set up.
1 of 1 people found this helpful
Actions

Go to original post