Security issues

czajnik Sep 6, 2002 8:40 PM

I'm new to JBoss. After installation I discovered, that any user can stop my JBoss server. Is there any workaround ?

BTW, I've found the same behavior in JOnAS (I was replied by one of Jonas developers - they are going to fix it in 2 months) and Tomcat (with possible workaround). Does it mean that Java developers don't care about security ? ;(

1. Re: Security issues

juha Sep 7, 2002 5:35 AM (in response to czajnik)

You need to secure the jmx-console web app.
Actions
2. Re: Security issues

czajnik Sep 7, 2002 6:33 AM (in response to czajnik)

Thanks, I'll try to figure it out.

However, shutdown.sh uses org.jboss.Shutdown class and I can't see any posibility to pass any credentials in Shutdown.java.
I guess, after securing JMX shutdown.sh script will stop working as well.
Actions
3. Re: Security issues

juha Sep 10, 2002 8:54 AM (in response to czajnik)

shutdown probably uses rmi connector to contact jmx mbean server (i haven't looked, you should check the code)

I don't know if there's a way currently to secure the jboss rmi connector. if there isn't you probably want to remove this service (html console will still keep on working)
Actions
4. Re: Security issues

rruss Jan 8, 2003 12:44 AM (in response to czajnik)

In looking at the code (v3.0.4), the Shutdown class uses the jmx-console web application to perform the shutdown. The only two parameters that it currently accepts are host and port. So, I believe you are correct in stating that shutdown.sh will stop working once you have secured the jmx-console web application.

I think it would be trivial to modify Shutdown.java to accept two new parameters for username and password. However, this would only work if jmx-console was protected with basic authentication (username/password) as opposed to something like client side certificates.
Actions

Go to original post