Securing JMX and JBoss WS Consoles
joelr Aug 29, 2011 3:08 PMHi,
We are migrating our application from JBoss 4.2.2 to JBoss 6.1. As part of the installation, we secured the JMX and JBoss WS consoles.
With JBoss 4.2.2, we uncommented the security constraint for the JMX Console in the web.xml file as shown below:
<!-- A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console.
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
For secure (HTTPS) installations we would change it as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The web.xml file of the JBoss WS console was adjusted similarly.
The issue now is with JBoss 6.1 the JMX and web consoles have been moved to common deployment area, as specified here:
http://community.jboss.org/wiki/On-DemandDeploymentOfWebApplications
The question is how do I allow some profiles (environments) defined underneath the JBoss 6.1 server directory to access the JMX console using HTTP, and others using HTTPS. We need to do this when a JBoss 6.1 is used for both secure and non-secure profiles.
Thanks,
Joel