4 Replies Latest reply on Oct 16, 2004 3:46 PM by Scott Stark

    JMX-Console Security in Jboss 4.0

    Carolyn Cole Newbie

      Hello,

      I have been trying to activate the security for the JMX console in Jboss 4.0.

      Unfortunately when I uncomment out the security in the jboss-web.xml and web.xml the system seems to still be pointing at the other realm instaed of the jmx-console realm.

      Any ideas why this would have stopped working in 4.0? What other files beside the two xml files need to be modified now?

      Thanks!

      -- Carolyn

        • 1. Re: JMX-Console Security in Jboss 4.0
          David Blake Newbie

          I upgraded to 4.0.0 and the JMX console security works fine after uncommenting the jboss-web.xml and web.xml files. I would check them again to make sure the changes were saved or you didn't uncomment everything needed.

          • 2. Re: JMX-Console Security in Jboss 4.0
            Carolyn Cole Newbie

            Here are the two files. Please let me know if you see something wrong.

            Just to note, if you got an error saying that you were missing the roles.properties file and user.properties file you are actually using the default "other" realm instead of the jmx-console realm. The other realm works just fine, but it is not what should be configured.

            Thanks for your help!

            web.xml:

            <?xml version="1.0"?>
            <!DOCTYPE web-app PUBLIC
             "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
             "http://java.sun.com/dtd/web-app_2_3.dtd">
            
            <web-app>
             <description>The standard web descriptor for the html adaptor</description>
             <servlet>
             <servlet-name>HtmlAdaptor</servlet-name>
             <servlet-class>org.jboss.jmx.adaptor.html.HtmlAdaptorServlet</servlet-class>
             </servlet>
             <servlet>
             <servlet-name>ClusteredConsoleServlet</servlet-name>
             <servlet-class>org.jboss.jmx.adaptor.html.ClusteredConsoleServlet</servlet-class>
             <init-param>
             <param-name>jgProps</param-name>
             <param-value>UDP(ip_mcast=true;ip_ttl=16;loopback=false;mcast_addr=228.1.2.3;mcast_port=45566):
            org.jboss.jmx.adaptor.control.FindView
             </param-value>
             <description>The JGroups protocol stack config</description>
             </init-param>
             </servlet>
             <servlet>
             <servlet-name>DisplayMBeans</servlet-name>
             <jsp-file>/displayMBeans.jsp</jsp-file>
             </servlet>
             <servlet>
             <servlet-name>InspectMBean</servlet-name>
             <jsp-file>/inspectMBean.jsp</jsp-file>
             </servlet>
             <servlet>
             <servlet-name>DisplayOpResult</servlet-name>
             <jsp-file>/displayOpResult.jsp</jsp-file>
             </servlet>
             <servlet>
             <servlet-name>ClusterView</servlet-name>
             <jsp-file>/cluster/clusterView.jsp</jsp-file>
             </servlet>
            
             <servlet-mapping>
             <servlet-name>HtmlAdaptor</servlet-name>
             <url-pattern>/HtmlAdaptor</url-pattern>
             </servlet-mapping>
             <servlet-mapping>
             <servlet-name>ClusteredConsoleServlet</servlet-name>
             <url-pattern>/cluster/ClusteredConsole</url-pattern>
             </servlet-mapping>
             <servlet-mapping>
             <servlet-name>DisplayMBeans</servlet-name>
             <url-pattern>/DisplayMBeans</url-pattern>
             </servlet-mapping>
             <servlet-mapping>
             <servlet-name>InspectMBean</servlet-name>
             <url-pattern>/InspectMBean</url-pattern>
             </servlet-mapping>
             <servlet-mapping>
             <servlet-name>DisplayOpResult</servlet-name>
             <url-pattern>/DisplayOpResult</url-pattern>
             </servlet-mapping>
            
             <!-- A security constraint that restricts access to the HTML JMX console
             to users with the role JBossAdmin. Edit the roles to what you want and
             uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
             secured access to the HTML JMX console.-->
             <security-constraint>
             <web-resource-collection>
             <web-resource-name>HtmlAdaptor</web-resource-name>
             <description>An example security config that only allows users with the
             role JBossAdmin to access the HTML JMX console web application
             </description>
             <url-pattern>/*</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
             </web-resource-collection>
             <auth-constraint>
             <role-name>JBossAdmin</role-name>
             </auth-constraint>
             </security-constraint>
            
             <login-config>
             <auth-method>BASIC</auth-method>
             <realm-name>JBoss JMX Console</realm-name>
             </login-config>
            
             <security-role>
             <role-name>JBossAdmin</role-name>
             </security-role>
            </web-app>
            


            jboss-web.xml:
            <jboss-web>
             <!-- Uncomment the security-domain to enable security. You will
             need to edit the htmladaptor login configuration to setup the
             login modules used to authentication users. -->
             <security-domain>java:/jaas/jmx-console</security-domain>
            </jboss-web>
            


            • 3. Re: JMX-Console Security in Jboss 4.0
              Carolyn Cole Newbie

              Hello,

              I found the solution to my problem myself. There really needs to be some documentation on 4.0.

              I found that the standard server will run the security correctly.

              The reason for this is that in the jbossweb-tomcat50.sar/server.xml file in the standard version has the following entry in the engine:

               <!-- The JAAS based authentication and authorization realm implementation
               that is compatible with the jboss 3.2.x realm implementation.
               - certificatePrincipal : the class name of the
               org.jboss.security.auth.certs.CertificatePrincipal impl
               used for mapping X509[] cert chains to a Princpal.
               -->
               <Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"
               certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
               />
              


              If you are planning to use the default configuration and security make sure you add the above to the engine.

              -- Carolyn

              • 4. Re: JMX-Console Security in Jboss 4.0
                Scott Stark Master

                Both the standard and default configurations have the JBossSecurityMgrRealm defined in the jbossweb-tomcat50.sar/server.xml. The only way your default config does not have this is if you removed it.