8 Replies Latest reply on Aug 27, 2003 3:59 PM by Michael James

    STEPS to protect the jmx-console with passwd

    Jesus Casquero Newbie

      Steps to protect jmx-console:

      1) Change user and password in:

      {INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/classes/ users.properties
      {INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/classes/ roles.properties

      2) Go to file:

      {INSTALL_DIR_JBOSS}/server/default/conf/login-config.xml

      comment th following:

      <application-policy name = "jmx-console">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>-->

      and replace this section (bottom) :

      <application-policy name = "other">
      .....
      .....
      </application-policy>

      for this one:

      <application-policy name = "other">

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
      <module-option name="usersProperties">users.properties</module-option>
      <module-option name="rolesProperties">roles.properties</module-option>
      </login-module>



      </application-policy>

      3) Go to file:

      {INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/jboss- web.xml

      and uncomment the line:

      <security-domain>java:/jaas/jmx-console</security-domain>

      4) Finish. If you try to enter to the jmx-console a password will be required.

        • 1. Re: STEPS to protect the jmx-console with passwd
          Yaron Holland Newbie

          1. What is the format of the files users.properties and roles.properties

          2. Do you need to restart jboss to have affects?

          3. Why just not add :
          <module-option name="usersProperties">users.properties</module-option>
          <module-option name="rolesProperties">roles.properties</module-option>

          to the jmx-console login-module?

          Yaron

          • 2. Re: STEPS to protect the jmx-console with passwd
            Jose Annunziato Newbie

            Hi, I followed your steps faithfully and jmx-console did not ask for a username/password. I rebooted the server, and even the machine but no change, jmx-console still shows its output. Might it be caching something?

            I was a bit vague on editing the .resources files. The original read something like

            admin=DontRemember

            and I changed it to:

            admin.username=jose
            admin.password=password

            is this right? what is the syntax/purpose/consequence of this file?

            the rest of the steps were very explicit so I think I got those right.

            ...thank you...

            Jose

            • 3. Re: STEPS to protect the jmx-console with passwd
              Jose Annunziato Newbie

              I found the syntax for the these users.properties and roles.properties files in the QuickStart-30x.pdf, but I still could not get it to work. It seems that the syntax for the username.properties file (the username-to-password mapping file) is:

              username1=password1
              username2=password2
              ...

              and for the roles.properties file (the username-to-role mapping file) is:

              username1=role1,role2,...

              followed by optional groups:

              username1.RoleGroup1=role3,role4,...

              so my users.properties file now reads:

              # A sample users.properties file ...
              admin=admin
              jose=password

              and my roles.properties file now reads:

              # A sample roles.properties file ...
              admin=JBossAdmin
              jose=JBossAdmin

              but I still cant get it to work. Help !!!

              ...thanks...

              J

              • 4. Re: STEPS to protect the jmx-console with passwd
                Suresh Newbie

                Hi,

                Did any one find the solution for this? My jmx-console still starts without needing any authentication.

                Thanks

                • 5. Re: STEPS to protect the jmx-console with passwd
                  Gianluca Milza Newbie

                  I have made these steps for protecting jmx-console:

                  1) Change user and password in:

                  {INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/classes/ users.properties
                  {INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/classes/ roles.properties

                  roles.properties should be okay, just change the already present entry in users.properties, like this:
                  admin=some_password

                  2) Go to file:

                  {INSTALL_DIR_JBOSS}/server/default/conf/login-config.xml

                  and change this:
                  <application-policy name = "jmx-console">

                  <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                  flag = "required" />

                  </application-policy>

                  with this:

                  <application-policy name = "jmx-console">

                  <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                  flag = "required">
                  <module-option name="usersProperties">WEB-INF/classes/users.properties</module-option>
                  <module-option name="rolesProperties">WEB-INF/classes/roles.properties</module-option>
                  </login-module>

                  </application-policy>

                  Note: the path of the two properties files are relative to
                  {INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war
                  Is not necessary to touch "other" (i think is not correct to touch this entry)

                  3) Go to file:

                  {INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/jboss- web.xml

                  and uncomment the line:

                  <security-domain>java:/jaas/jmx-console</security-domain>

                  4) Go to file:

                  {INSTALL_DIR_JBOSS}/server/default/deploy/jmx-console.war/WEB-INF/ web.xml

                  and uncomment the section:

                  <security-constraint>
                  <web-resource-collection>
                  <web-resource-name>HtmlAdaptor</web-resource-name>
                  An example security config that only allows users with the
                  role JBossAdmin to access the HTML JMX console web application

                  <url-pattern>/*</url-pattern>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
                  </web-resource-collection>
                  <auth-constraint>
                  <role-name>JBossAdmin</role-name>
                  </auth-constraint>
                  </security-constraint>

                  Note that the tag <role-name> must match the role in roles.properties .

                  4) Relaunch jboss.This time it should ask user/pass.

                  • 6. Re: STEPS to protect the jmx-console with passwd
                    mpls2000 Newbie

                    Hi gmilza,

                    I followed your instruction and I managed to see the login prompt when I access http://localhost:8080/jmx-console.

                    However, I always get this error
                    HTTP ERROR: 401 Unauthorized
                    RequestURI=/jmx-console

                    Not matter what userID and password I entered. My roles.properties and users.properties only have this line :
                    admin=admin

                    But I could not login. Do you have any clue? Please help.
                    Thanks

                    • 7. Re: STEPS to protect the jmx-console with passwd
                      mpls2000 Newbie

                      Ooops my mistake. Problem solve. Stupid mistake. Sorry.

                      • 8. Re: STEPS to protect the jmx-console with passwd
                        Michael James Newbie

                        Why not just remove server/default/deploy/jmx-console.war if we don't
                        intend to use the console in production?