analytic

Sunday, 3 March 2013

Securing JBOSS JMX and Web Console

After installing the JBOSS Application Server, the jmx console can be accessed by anybody without providing any username/password. This is a big security risk as anybody can perform changes though the jmx and web console. Setting up basic username/password security for the jboss jmx/web console can be accomplished by performing the following steps on the JBOSS Application Server.

1. Edit $JBOSS_HOME/server/all/conf/props/jmx-console-users.properties to add jmx console users. Replace all with your JBOSS profile name. The syntax to add users is username=password. By default admin user would be available in this file with admin as password.
Ex : sysadmin=Password007 ## This configuration will create a new jmx and web console user as sysadmin and set the password as Password007
2. To provide admin privileges on jmx and web console to the newly created user, edit jmx-console-roles.properties file available in $JBOSS_HOME/server/all/conf/props folder and add username=JBossAdmin.
Ex : sysadmin=JBossAdmin ## This configuration will provide admin privileges to sysadmin user on jmx and web console.
3. Edit $JBOSS_HOME/server/all/deploy/jmx-console.war/WEB-INF/jboss-web.xml file and uncomment the security domain as shown below.
<jboss-web>
<security-domain>
java:/jaas/jmx-console
</security-domain>
</jboss-web>
4. Edit $JBOSS_HOME/server/all/deploy/jmx-console.war/WEB-INF/web.xml file and uncomment the security constraint as shown below.
<security-constraint>
<web-resource-collection>
<web-resource-name>
HtmlAdaptor
</web-resource-name>
<description>
An example security config that only allows
users with the role JBossAdmin to access the
HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
5. The location, path or name of the users and roles configuration files i.e. jmx-console-users.properties or jmx-console-roles.properties can be changed by editing $JBOSS_HOME/server/all/conf/login- -config.xml file. Sample configuration is given below.
<application-policy name=”jmx-console”>
<authentication>
<login-module code=
“org.jboss.security.auth.spi.UsersRolesLoginModule”
flag=”required”>
<module-option name=”usersProperties”>
props/jmx-console-users.properties
</module-option>
<module-option name=”rolesProperties”>
props/jmx-console-roles.properties
</module-option>
</login-module>
</authentication>
</application-policy>
6. Edit $JBOSS_HOME/server/all/deploy/management/console-mgr.sar/ web-console.war/WEB-INF/jboss-web.xml file and remove the comment of the security domain as shown below.
<jboss-web>
<security-domain>java:/jaas/web-console</security-domain>
<depends>jboss.admin:service=PluginManager</depends>
</jboss-web>
7. Edit $JBOSS_HOME/server/all/deploy/management/console-mgr.sar/ web-console.war/WEB-INF/web.xml file and remove the comment of the security constraint as shown below.
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows
users with the role JBossAdmin to access the
HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
8. Restart JBOSS.

0 comments:

Post a Comment