1 Reply Latest reply: Sep 15, 2011 2:14 PM by Joel Rabinovitch RSS

    Securing JMX and JBoss WS Consoles

    Joel Rabinovitch Newbie

      Hi,

       

      We are migrating our application from JBoss 4.2.2 to JBoss 6.1. As part of the installation, we secured the JMX and JBoss WS consoles.

       

      With JBoss 4.2.2, we uncommented the security constraint for the JMX Console in the web.xml file as shown below:

       

         <!-- A security constraint that restricts access to the HTML JMX console

         to users with the role JBossAdmin. Edit the roles to what you want and

         uncomment the WEB-INF/jboss-web.xml/security-domain element to enable

         secured access to the HTML JMX console.

         -->

         <security-constraint>

           <web-resource-collection>

             <web-resource-name>HtmlAdaptor</web-resource-name>

             <description>An example security config that only allows users with the

               role JBossAdmin to access the HTML JMX console web application

             </description>

             <url-pattern>/*</url-pattern>

           </web-resource-collection>

           <auth-constraint>

             <role-name>JBossAdmin</role-name>

           </auth-constraint>

         </security-constraint>

       

      For secure (HTTPS) installations we would change it as follows:

       

         <security-constraint>

           <web-resource-collection>

             <web-resource-name>HtmlAdaptor</web-resource-name>

             <description>An example security config that only allows users with the

               role JBossAdmin to access the HTML JMX console web application

             </description>

             <url-pattern>/*</url-pattern>

           </web-resource-collection>

           <auth-constraint>

             <role-name>JBossAdmin</role-name>

           </auth-constraint>

           <user-data-constraint>

              <transport-guarantee>CONFIDENTIAL</transport-guarantee>

           </user-data-constraint>

         </security-constraint>

       

      The web.xml file of the JBoss WS console was adjusted similarly.

       

      The issue now is with JBoss 6.1 the JMX and web consoles have been moved to common deployment area, as specified here:

       

      http://community.jboss.org/wiki/On-DemandDeploymentOfWebApplications

       

      The question is how do I allow some profiles (environments) defined underneath the JBoss 6.1 server directory to access the JMX console using HTTP, and others using HTTPS. We need to do this when a JBoss 6.1 is used for both secure and non-secure profiles.

       

      Thanks,

       

      Joel

        • 1. Re: Securing JMX and JBoss WS Consoles
          Joel Rabinovitch Newbie

          Hi,

           

          I figured out my own problem:

           

          To resolve this I did the following:

           

          I copied the admin-console.war, jmx-console.war, and jbossws-console.war folders from the common/deploy directory to the <profile>/deploy (e.g. default/deploy) directory.

           

          I modified the following files:

           

          deploy/admin-console-activator-jboss-beans.xml

          deploy/jmx-console-activator-jboss-beans.xml

          deploy/jbossws-console-activator-jboss-beans.xml

           

          to change the following property from:

           

          <property name="deploymentRoot">${jboss.common.base.url}deploy</property>

           

          to:

           

          <property name="deploymentRoot">${jboss.server.home.url}deploy</property>

           

          Based on the information in the following page:

           

          http://community.jboss.org/wiki/JBossProperties

           

          Although it adds some time to the start up of the environment, it allows you to customize these consoles for a given profile.

           

          Hope this helps,

           

          Joel