3 Replies Latest reply on Jun 9, 2004 7:04 AM by marcma

    How to secure the web-console (3.2.4)?

    marcma Newbie

      Hi.

      The wiki docs for securing the jmx-console and the web-console are
      fine for jboss-3.2.3.

      For jboss-3.2.4 the part for securing the jmx-console works fine but
      for the web-console it does not work.

      What do I have to do to get the web-console secure?

      I have followed the instructions and everthing is fine for the jmx-console.
      But when accessing the web-console the BASIC popup prompts me to
      enter username and password. The same username and password that works for the jmx-console does not give me access to the web-console.

      In use:
      jboss-3.2.4
      java 1.4.2_03
      WXP

      Thanks for your help.
      Cheers

        • 1. Re: How to secure the web-console (3.2.4)?
          marcma Newbie

          Hi.

          Ok, I have found out, that a request for

          http://blablub:whatever/web-console

          brings the UsersRolesLoginModule up the scene
          (as configured in the login-config.xml)
          and this guy is reading the users.properties and roles.properties from
          the invoker.war instead of the ones from the web-console.war.

          Why is that?

          Requesting the jmx-console results in reading the jmx-console-users.properties and jmx-console-roles.properties from the jmx-console.war.

          Request for web-console:

          DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /web-console/
          DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /index.html --> true
          DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /index.html --> true
          DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
          DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
          DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
          TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize
          TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null
          TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/production/ejbcontainer/jboss/jboss-3.2.4/jboss-3.2.4/server/all/deploy/http-invoker.sar/invoker.war/WEB-INF/classes/users.properties
          TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null
          TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/production/ejbcontainer/jboss/jboss-3.2.4/jboss-3.2.4/server/all/deploy/http-invoker.sar/invoker.war/WEB-INF/classes/roles.properties
          TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login
          DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=jboss
          TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] abort
          DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
          



          Request for jmx-console:

          DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /jmx-console/
          DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /index.jsp --> true
          DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /index.jsp --> true
          DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
          DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
          DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
          TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize
          TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null
          TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/production/ejbcontainer/jboss/jboss-3.2.4/jboss-3.2.4/server/all/deploy/jmx-console.war/WEB-INF/classes/jmx-console-users.properties
          TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null
          TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/production/ejbcontainer/jboss/jboss-3.2.4/jboss-3.2.4/server/all/deploy/jmx-console.war/WEB-INF/classes/jmx-console-roles.properties
          TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login
          TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] User 'jboss' authenticated, loginOk=true
          TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=true
          DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'jboss' with type 'BASIC'
          DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
          DEBUG [org.apache.catalina.realm.RealmBase] Checking roles jboss
          DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
          


          • 3. Re: How to secure the web-console (3.2.4)?
            marcma Newbie

            Hi.

            Ok. Thanks for the pointer.

            Just changing the loader-repository-config from
            the web-console to overwriting is not enough.

            The console-mgr.sar has the same loeader-repository.
            And here you have a loader-repository-config as well.
            Both need to be changed.

            Isn't this a bit dangerous? Let's say we have different wars all loaded to the same repository. All jboss-web.xml in the wars can specify diefferent loader-repositoy-configs. Which one is the one getting used?

            Another opportunity to get the web-console secure is to change the login-config.xml (module /web-console) to use special users and roles properties files which are uniqu to the complete falt UCL.

            Cheers