8 Replies Latest reply on Mar 30, 2009 5:51 AM by germandev

    "Startup securing" - how to bind administration access to a

      Hi!

      I am new to JBoss. A few months ago I started to familiarize myself with JBoss Seam and JSF and just finished my first "really" web application that I want to put on my productive server, where I put on a jboss-4.2.3.GA, to test the project under "real life conditions".

      Nevertheless, the deployment worked as it should but I don't know how to secure the administration (jmx-console, web-console) and the JBoss Startup screen (with the link to TomCat stats etc).

      Is there an easy way to bind it to my (static) IP adress, so that access from another ip is rejected? Additional is there a way to (IP based) reject access to any other url of JBoss than http://my-server.net:8080/myProject/?

      I know that this won't be a perpertual solution, but in the meantime I'm going to be a book to learn how to properly administrate the JBoss AS.

      Could you recommend me a good book about JBoss AS administration?

      Thank you in advance!

        • 1. Re:
          jaikiran

          See this wiki http://www.jboss.org/community/docs/DOC-12188

          Additional is there a way to (IP based) reject access to any other url


          Are you looking for rejecting clients coming from specific IP address or are you looking to allow access to the server through a specific IP? For the first, look at the RemoteAddressFilter valve of tomcat which you can configure http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html.

          For the latter, you can start JBoss by binding it to a specific IP, you can start the server using

          run.bat -b xxx.xxx.xxx.xxx


          An additional wiki reference http://www.jboss.org/community/docs/DOC-10179

          • 2. Re:

            Thank you for your answer!

            I want all users except one IP to be only allowed to access http://my-jboss-server.net:8080/myApplication.

            Only the given IP address (my proxy) is allowed to open the root page http://my-jboss-server.net:8080, the jmx console and the web console.

            What I am trying to get: I want to publish my project on my server that is globally accessible. Everybode should be able to access my application that is published on the JBoss AS. But they should neither be allowed to open the start page of JBoss (with all the Tomcat stats and so on), nor should they open anything else but my project - especially not the jmx console and the web console. They should only be able to open my project. Nothing else.

            How do I realize that best?

            • 3. Re:
              jaikiran

               

              But they should neither be allowed to open the start page of JBoss (with all the Tomcat stats and so on),


              Some ways to do this:

              1) Remove that application from being deployed (but that would mean even you cannot access it).

              2)
              2.a) Don't let it be the root application and instead setup your application as the root application http://www.jboss.org/community/docs/DOC-12261
              2.b) Secure the ROOT.war application which shows the JBoss home page with password protected access (same as securing the jmx-console that i pointed out in my previous reply).

              especially not the jmx console and the web console.

              Same approach as above.


              • 4. Re:

                Thank you for your answer!

                Great to know that it is possible to change the root application.


                What I didn't get until know - how do I create Users or change their passwords?

                I removed the comments in the web.xml files for the web console, and I am asked for a password. But I don't find any information where to set it..

                • 5. Re:
                  jaikiran

                   

                  "GermanDev" wrote:


                  What I didn't get until know - how do I create Users or change their passwords?


                  There are various ways of doing this and it depends on the login module that you use. It can come from databases or from properties file. The properties file is the simplest approach and this wiki might help in understanding the same

                  http://www.jboss.org/community/docs/DOC-12185


                  "GermanDev" wrote:

                  I removed the comments in the web.xml files for the web console, and I am asked for a password. But I don't find any information where to set it..


                  The roles/password are already set in the %JBOSS_HOME%/server/< serverName>/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-roles.properties and web-console-users.properties files of the webconsole war file.

                  • 6. Re:

                    This works great for the management console where the user and role files already exists. But when I try to reproduce this with the jmx-console where they don't do it didn't work. I am asked to enter a password but nothing is accepted..

                    Is there anything I have to pay attention to?

                    • 7. Re:
                      jaikiran

                       

                      "GermanDev" wrote:
                      But when I try to reproduce this with the jmx-console where they don't do it didn't work. I am asked to enter a password but nothing is accepted..




                      The users/roles properties for the jmx-console application are in %JBOSS_HOME%/server/< serverName>/conf/props folder (named jmx-console-users.properties and jmx-console-roles.properties)

                      • 8. Re:

                        This works, thank you!

                        It all seems very confusing to me. Where do I set the location of the user and role files for the Root.WAR application? Where do I set that location in common?

                        Is there an (easy or not that complicated) way to create one general user account and set for each web application that the access is either always granted or requires a valid login of that user?