2 Replies Latest reply on Apr 3, 2011 12:38 AM by Viacheslav Garmash

    Securing the JMX-Console


      Can some one point me to some documents on how to secure the JMX Console from outside users etc...


        • 1. Re: Securing the JMX-Console
          Peter Doornbosch Apprentice

          Edit the web.xml and the jboss-web.xml file in the jmx-console.war (which is actually a directory in the latest releases, so you can easily edit its contents) to enable security.

          In the web.xml you uncomment the security-constraint. Note that the default authentication method is "basic" (your web browser will pop-up a password dialog). Also note that the role specified here is "JBossAdmin".

          In the jboss-web.xml you uncomment the security domain (default: jmx-console).

          Now edit the login-config.xml in the conf directory. This contains an application policy called "jmx-console" (the name must match the security domain in the jboss-web.xml). Here you configure the login module you want to use, similar to the others. Make sure your login module associates the role 'JBossAdmin' with the username you want to use to access the jmx-console (e.g. when you use the UsersRolesLoginModule, the file roles.properties should contain a line like "admin-user=JBossAdmin").


          • 2. Securing the JMX-Console
            Viacheslav Garmash Newbie

            The link is: http://community.jboss.org/wiki/SecureTheJmxConsole


            for those who find this topic by search:


            There is a community courtesy notification for a severe security issue affecting some of the JBoss projects and products. Default security settings in web.xml protect only GET and POST protocols leaving another ones open. Please refer to the following Red Hat KBase article for more information:


            JBoss Products & CVE-2010-0738


            Only when you apply the solution you can be sure that your JMX Console is protected.

            Please note that Web Console has the same issue, and you need to apply the solution to it as well.


            Also it is recommended to hash passwords in the config files. Read about how to do it in JBoss Getting Started guide.