6 Replies Latest reply on Dec 14, 2007 9:45 AM by kike sedes

    lock jboss administration

    kike sedes Newbie

      I started jboss with -b 0.0.0.0 option so that people can access it remotely.

      how can i lock the administration? some scipt? some xml file parameter?

      thanks in advise.

      Regards from Spain!!

        • 1. Re: lock jboss administration
          jaikiran pai Master

          See this http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss. That has steps to secure the jmx-console and other JBoss services.

          • 2. Re: lock jboss administration
            kike sedes Newbie

            i tried what you said, but i found an exception when jboss reads login-config.xml. it seems like a bad-formed xml file but it has no sense:


            11:44:28,802 WARN [XMLLoginConfigImpl] End loadConfig, failed to load config: file:/C:/is/jboss-4.0.4RC1/server/default/conf/login-config.xml
            INFO | jvm 1 | 2007/12/14 11:44:28 | org.jboss.security.auth.login.ParseException: Encountered "<?xml" at line 1, column 1.

            • 3. Re: lock jboss administration
              jaikiran pai Master

              Did you edit/change the contents of the login-config.xml file? Looks like the xml content might be invalid in that file. Use a xml editor to open this file and see if it reports any errors. Or else post the contents of that file here (remember to enclose the contents in a code block, using the "Code" button in the message editor, while posting the contents)

              • 4. Re: lock jboss administration
                kike sedes Newbie

                upps, yes. I modified the xml file in my server with vnc using notepad editor.

                <?xml version='1.0'?>
                <!DOCTYPE policy PUBLIC
                 "-//JBoss//DTD JBOSS Security Config 3.0//EN"
                 "http://www.jboss.org/j2ee/dtd/security_config.dtd">
                
                <!-- The XML based JAAS login configuration read by the
                org.jboss.security.auth.login.XMLLoginConfig mbean. Add
                an application-policy element for each security domain.
                
                The outline of the application-policy is:
                <application-policy name="security-domain-name">
                 <authentication>
                 <login-module code="login.module1.class.name" flag="control_flag">
                 <module-option name = "option1-name">option1-value</module-option>
                 <module-option name = "option2-name">option2-value</module-option>
                 ...
                 </login-module>
                
                 <login-module code="login.module2.class.name" flag="control_flag">
                 ...
                 </login-module>
                 ...
                 </authentication>
                </application-policy>
                
                -->
                
                <policy>
                 <!-- Used by clients within the application server VM such as
                 mbeans and servlets that access EJBs.
                 -->
                 <application-policy name = "client-login">
                 <authentication>
                 <login-module code = "org.jboss.security.ClientLoginModule"
                 flag = "required">
                 </login-module>
                 </authentication>
                 </application-policy>
                
                 <!-- Security domain for JBossMQ -->
                 <application-policy name = "jbossmq">
                 <authentication>
                 <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
                 flag = "required">
                 <module-option name = "unauthenticatedIdentity">guest</module-option>
                 <module-option name = "dsJndiName">java:/DefaultDS</module-option>
                 <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
                 <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
                 </login-module>
                 </authentication>
                 </application-policy>
                
                 <!-- Security domain for JBossMQ when using file-state-service.xml
                 <application-policy name = "jbossmq">
                 <authentication>
                 <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
                 flag = "required">
                 <module-option name = "unauthenticatedIdentity">guest</module-option>
                 <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
                 </login-module>
                 </authentication>
                 </application-policy>
                 -->
                
                 <!-- Security domains for testing new jca framework -->
                 <application-policy name = "HsqlDbRealm">
                 <authentication>
                 <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
                 flag = "required">
                 <module-option name = "principal">sa</module-option>
                 <module-option name = "userName">sa</module-option>
                 <module-option name = "password"></module-option>
                 <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
                 </login-module>
                 </authentication>
                 </application-policy>
                
                 <application-policy name = "JmsXARealm">
                 <authentication>
                 <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
                 flag = "required">
                 <module-option name = "principal">guest</module-option>
                 <module-option name = "userName">guest</module-option>
                 <module-option name = "password">guest</module-option>
                 <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
                 </login-module>
                 </authentication>
                 </application-policy>
                
                 <!-- A template configuration for the jmx-console web application. This
                 defaults to the UsersRolesLoginModule the same as other and should be
                 changed to a stronger authentication mechanism as required.
                 -->
                 <application-policy name = "jmx-console">
                 <authentication>
                 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                 flag = "required">
                 <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
                 <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
                 </login-module>
                 </authentication>
                 </application-policy>
                
                 <!-- A template configuration for the web-console web application. This
                 defaults to the UsersRolesLoginModule the same as other and should be
                 changed to a stronger authentication mechanism as required.
                 -->
                
                
                 <application-policy name = "web-console">
                <authentication>
                <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                flag = "required">
                <module-option name="usersProperties">props/web-console-users.properties</module-option> <module-option name="rolesProperties">props/web-console-roles.properties</module-option> </login-module>
                </authentication>
                </application-policy
                
                 <!-- A template configuration for the JBossWS web application (and transport layer!).
                 This defaults to the UsersRolesLoginModule the same as other and should be
                 changed to a stronger authentication mechanism as required.
                 -->
                 <application-policy name="JBossWS">
                 <authentication>
                 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                 flag="required">
                 <module-option name="unauthenticatedIdentity">anonymous</module-option>
                 </login-module>
                 </authentication>
                 </application-policy>
                
                 <!-- The default login configuration used by any security domain that
                 does not have a application-policy entry with a matching name
                 -->
                 <application-policy name = "other">
                 <!-- A simple server login module, which can be used when the number
                 of users is relatively small. It uses two properties files:
                 users.properties, which holds users (key) and their password (value).
                 roles.properties, which holds users (key) and a comma-separated list of
                 their roles (value).
                 The unauthenticatedIdentity property defines the name of the principal
                 that will be used when a null username and password are presented as is
                 the case for an unuathenticated web client or MDB. If you want to
                 allow such users to be authenticated add the property, e.g.,
                 unauthenticatedIdentity="nobody"
                 -->
                 <authentication>
                 <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
                 flag = "required" />
                 </authentication>
                 </application-policy>
                
                </policy>
                


                i think the xml is well formed. i´m gonna modify it with other editor.

                Very much thanks

                • 5. Re: lock jboss administration
                  jaikiran pai Master

                   

                  </authentication>
                  </application-policy
                  
                   <!-- A template configuration for the JBossWS web application (and transport layer!).


                  The problem is the line marked in bold. That line is missing a >

                  Change it to

                  </authentication>
                  </application-policy>
                  
                   <!-- A template configuration for the JBossWS web application (and transport layer!).
                  
                  


                  • 6. Re: lock jboss administration
                    kike sedes Newbie

                    Problem solved. Very much thanks.

                    Regards from spain.