1 Reply Latest reply on Apr 14, 2005 2:33 AM by Heiko Rupp

    problems securing jmx-console

    Peter J. Siegel Newbie

      Hi all outa there!

      Following the documentation's steps on http://www.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole I tried to secure the jmx-console vainly. The console stays reachable for anyone. Even if I force a hot deployment by touching the application's web.xml while JBoss is running, the security configuration is activated.

      1. I uncommented the security constraints in jmx-console.war/WEB-INF/web.xml:

      ------ cut out -------------------

      <!-- uncommented pjs 20050405 -->
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>HtmlAdaptor</web-resource-name>
      An example security config that only allows users with the
      role JBossAdmin to access the HTML JMX console web application

      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>JBossAdmin</role-name>
      </auth-constraint>
      </security-constraint>

      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>JBoss JMX Console</realm-name>
      </login-config>

      <security-role>
      <role-name>JBossAdmin</role-name>
      </security-role>
      <security-role>
      <role-name>AuthUser</role-name>
      </security-role>

      ------ end of cut out -----------------------------

      2. I changed users and passwords in WEB-INF/classes/jmx-console-users.properties

      ------ cut out -------------------
      # A sample users.properties file for use with the UsersRolesLoginModule
      auth_user=pazzword
      #admin=admin
      #admin=adm
      ------ end of cut out -----------------------------


      and I changed WEB-INF/classes/jmx-console-roles.properties:

      ------ cut out -------------------
      # A sample roles.properties file for use with the UsersRolesLoginModule
      #admin=JBossAdmin
      auth_user=JBossAdmin
      ------ end of cut out -----------------------------

      3. I edited WEB-INF/jboss-web.xml and uncommented the security-domain block

      ------ cut out -------------------
      <jboss-web>
      <!-- uncommented pjs 20050405 -->
      <security-domain>java:/jaas/jmx-console</security-domain>
      </jboss-web>
      ------ end of cut out -----------------------------


      4. In the server/conf/jboss-service.xml I switched off the login cache by
      setting DefaultCacheTimeout to zero.

      ------ cut out -------------------

      <!-- JAAS security manager and realm mapping -->


      org.jboss.security.plugins.JaasSecurityManager


      0


      ------ end of cut out -----------------------------


      If I shutdown the server and start it up, the changes don't get active. They only work after a change at web.xml while JBoss is running. I'd like JBoss to secure the jmx-console even after a startup.

      Does anybody see a mistake or have a solution?

      Thanks in advance

      Peter