5 Replies Latest reply on Aug 31, 2012 2:01 AM by Jean-Frederic Clere

    Enable ROOT seems to enable admin-console, jmx-console, etc?

    davidmac Newbie

      I am experimented with setting up mod_cluster with SSL because we have a requirement that all comms are encrypted between web server and app server.  For my development of the configuration, I have downloaded and installed




      jboss-5.1.0.GA (this matches current env.)


      In my configuration on the web server I have (attempting to trim out all but important points):



      CreateBalancers 0

      Listen 6666

      <VirtualHost _default_:6666>

          SSLEngine on

          SSLCertificateFile blah

          SSLCertificateKeyFile blah

          SSLCACertificateFile blah

          SSLVerifyClient require


          KeepAliveTimeout 300

          MaxKeepAliveRequests 0

          ServerAdvertise Off



          <Location />

             Order deny,allow

             Deny from all

             Allow from 127.0.0 <and local net>


          <Location /mod_cluster_manager>

             SetHandler mod_cluster-manager

             Order deny,allow

             Deny from all

             Allow from 127.0.0 <and local net>





      Listen 443

      <VirtualHost _default_:443>

      ...SSL configuration stuff that works...

      SSLProxyEngine  on

      SSLProxyCACertificateFile blah



      I have deployed a simple "sample" app in jboss/server/all/deploy and I start the server with these settings added in run.conf:

      JAVA_OPTS="${JAVA_OPTS} -Djboss.modcluster.proxyList=<thehostname>:6666"

      JAVA_OPTS="${JAVA_OPTS} -Djboss.mod_cluster.advertise=false"

      JAVA_OPTS="${JAVA_OPTS} -Djboss.modcluster.excludedContexts=admin-console,invoker,jbossws,jmx-console,juddi,web-console"


      In the browser I can retrieve the sample app just fine.  Note that I have removed ROOT from the excludedContexts because this is what our app requires.  I will later deploy our app for the next stage of test but for now this is just vanilla JBoss with that sample.war file deployed (hello word).


      I can also hit the base URL http://somehost/ and get the "Welcome to JBoss AS" screen which has links to the admin console, jmx console, etc.  Since I have those contexts (e.g admin-console,jmx-console) excluded, I would not expect to click the link and be able to browse them.  However, I can click and see the jmx console or web console just fine.  Here is what http://somehost:6666/mod_cluster_manager looks like:




      Auto Refresh show DUMP output show INFO output

      Node 4d7bf108-427e-3c7b-ac0a-f0c1a51ef97c (https://x.x.x.x:8443):

      Enable Contexts Disable Contexts

      Balancer: ecombalancer,LBGroup: ,Flushpackets: Off,Flushwait: 10000,Ping: 10000000,Smax: 26,Ttl: 60000000,Status: OK,Elected: 24,Read: 347692,Transferred: 28356,Connected: 0,Load: 86

      Virtual Host 1:


      /sample, Status: ENABLED Request: 0 Disable 
      /, Status: ENABLED Request: 0 Disable





      Any idea why I can browse to those contexts even though they don't show up in the manager and I have them excluded?  Maybe I missed something in the config? I need to understand how to control this to prevent security issues.




      (EDITED to remove host name)