1 2 Previous Next 22 Replies Latest reply on Apr 8, 2008 2:17 PM by Michael McDaniel

    Securing JMX console (JBoss)

    Michael McDaniel Newbie

      I'm having difficulties determine where the JMX console is secure. I am trying to follow the instruction to edit the Web.XML file and it calls you to uncomment the security-constraint block. Can you explain to me how to uncomment that section?

        • 1. Re: Securing JMX console (JBoss)
          Peter Johnson Master

          In XML files, comments are formed as follows:

          <!-- this is a comment -->


          In the web.xml file for the jmx console, move the

          -->


          line that appears after the security-constraint end tag to before the security-constraint start tag. It should then look like this:

          <!-- A security constraint that restricts access to the HTML JMX console
           to users with the role JBossAdmin. Edit the roles to what you want and
           uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
           secured access to the HTML JMX console. --> <security-constraint>
           <web-resource-collection>
           <web-resource-name>HtmlAdaptor</web-resource-name>
           <description>An example security config that only allows users with the
           role JBossAdmin to access the HTML JMX console web application
           </description>
           <url-pattern>/*</url-pattern>
           <http-method>GET</http-method>
           <http-method>POST</http-method>
           </web-resource-collection>
           <auth-constraint>
           <role-name>JBossAdmin</role-name>
           </auth-constraint>
           </security-constraint>
          
           <login-config>
           . . .


          The line in red is the one that was moved.

          • 2. Re: Securing JMX console (JBoss)
            Michael McDaniel Newbie

            What if the red arrow is not there from the beginning what does that mean?

            <!-- A security constraint that restricts access to the HTML JMX console
            to users with the role JBossAdmin. Edit the roles to what you want and
            uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
            secured access to the HTML JMX console.
            <security-constraint>
            <web-resource-collection>
            <web-resource-name>HtmlAdaptor</web-resource-name>
            An example security config that only allows users with the
            role JBossAdmin to access the HTML JMX console web application

            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
            <role-name>JBossAdmin</role-name>
            </auth-constraint>
            </security-constraint>
            -->

            <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>JBoss JMX Console</realm-name>
            </login-config>

            <security-role>
            <role-name>JBossAdmin</role-name>
            </security-role>
            </web-app>

            • 3. Re: Securing JMX console (JBoss)
              Peter Johnson Master

              Note that the arrow is after the closing security-constraint tag. That means the entire security-constraint phrase is commented out.

              • 4. Re: Securing JMX console (JBoss)
                Peter Johnson Master

                Read my previous post again, paying attention to the steps I mentioned. Note that I stated that I moved the arrow. I even mentioned where it was be fore I moved it.

                Also, while the example of an XML comment that I gave was on a single line, that is not a requirement - the begin and end markers for a comment can appear on different lines.

                • 5. Re: Securing JMX console (JBoss)
                  Michael McDaniel Newbie

                  This is the results to the script:

                  <!-- A security constraint that restricts access to the HTML JMX console
                  to users with the role JBossAdmin. Edit the roles to what you want and
                  uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
                  secured access to the HTML JMX console.
                  <security-constraint>
                  -->
                  <web-resource-collection>
                  <web-resource-name>HtmlAdaptor</web-resource-name>
                  An example security config that only allows users with the
                  role JBossAdmin to access the HTML JMX console web application

                  <url-pattern>/*</url-pattern>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
                  </web-resource-collection>
                  <auth-constraint>
                  <role-name>JBossAdmin</role-name>
                  </auth-constraint>
                  </security-constraint>


                  <login-config>
                  <auth-method>BASIC</auth-method>
                  <realm-name>JBoss JMX Console</realm-name>
                  </login-config>

                  <security-role>
                  <role-name>JBossAdmin</role-name>
                  </security-role>
                  </web-app>

                  I'm still a little confuse with the modifications. After making the changes and ran a security scan on the server it is still coming up with the vulnerability. So did I make the correct changes above ?

                  • 6. Re: Securing JMX console (JBoss)
                    Michael McDaniel Newbie

                    this is the correct script:
                    <!-- A security constraint that restricts access to the HTML JMX console
                    to users with the role JBossAdmin. Edit the roles to what you want and
                    uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
                    secured access to the HTML JMX console.
                    <!-- A security constraint that restricts access to the HTML JMX console
                    to users with the role JBossAdmin. Edit the roles to what you want and
                    uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
                    secured access to the HTML JMX console.
                    -->
                    <security-constraint>
                    <web-resource-collection>
                    <web-resource-name>HtmlAdaptor</web-resource-name>
                    An example security config that only allows users with the
                    role JBossAdmin to access the HTML JMX console web application

                    <url-pattern>/*</url-pattern>
                    <http-method>GET</http-method>
                    <http-method>POST</http-method>
                    </web-resource-collection>
                    <auth-constraint>
                    <role-name>JBossAdmin</role-name>
                    </auth-constraint>
                    </security-constraint>


                    <login-config>
                    <auth-method>BASIC</auth-method>
                    <realm-name>JBoss JMX Console</realm-name>
                    </login-config>

                    <security-role>
                    <role-name>JBossAdmin</role-name>
                    </security-role>
                    </web-app>

                    Please disregard previous script.

                    Thanks

                    • 7. Re: Securing JMX console (JBoss)
                      Peter Johnson Master

                      Please embed any xml text in code tags (select the text and click the Code button), or it will not show properly (the browser will interpret the xml tags a html tags and then weird things happen).

                      What do you mean when you say that a security scan is coming up with a vulnerability? What is the security scanner scanning for and what information does it provide about the vulnerability?

                      • 8. Re: Securing JMX console (JBoss)
                        Michael McDaniel Newbie

                        This is the message that is being detected when security performs a scan on the server.

                        23842(8080/tcp) JBoss JMX Console Unrestricted Access
                        Vulnerability
                        CGI abuses

                        Synopsis :
                        The remote web server allows unauthenticated access to an
                        administrative Java servlet.
                        Description :
                        The remote web server appears to be a version of JBoss that allows
                        unauthenticated access to the JMX and/or Web Console servlets used to
                        manage JBoss and its services. A remote attacker can leverage this
                        issue to disclose sensitive information about the affected application
                        or even take control of it.
                        See also :
                        http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole
                        Solution :
                        Follow the Wiki article referenced above to secure access to the JMX /
                        Web Console.
                        Risk factor :
                        High / CVSS Base Score : 7.5
                        (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

                        • 9. Re: Securing JMX console (JBoss)
                          Peter Johnson Master

                          Open a browser at http://localhost:8080/jmx-console, and what do you see? You should get a logon request.

                          • 10. Re: Securing JMX console (JBoss)
                            Michael McDaniel Newbie

                            I get the following message:

                            The page cannot be displayed
                            The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.

                            Michael McDaniel, Can you call me at 301-763-5294 around 9:00 am EST?

                            • 11. Re: Securing JMX console (JBoss)
                              Peter Johnson Master

                              Did you use the exact URL I gave or did you change the host name? If you used the exact URL, are you running the browser on the same machine on which JBossAS is running?

                              I do not see how the security tool can say that the jmx console is unsecured if you cannot even access the jmx console from a browser.

                              • 12. Re: Securing JMX console (JBoss)
                                Michael McDaniel Newbie

                                Could this be a false positive? This application is imbedded in a server application call Mercury Quality Center. And I believe that the application interfaces with JBoss. There is no Jboss services running on the server.

                                • 13. Re: Securing JMX console (JBoss)
                                  Peter Johnson Master

                                  If JBossAS is not running on the machine but Mercury Quality Center is telling you that JBossAS in u8nsecured, then yes, this is a false positive.

                                  • 14. Re: Securing JMX console (JBoss)
                                    Michael McDaniel Newbie

                                    Thanks for your patient and time. It is very confusing trying to interpretate the JBoss scripts. However the last scripts for uncommenting were correct, right?

                                    1 2 Previous Next