After installing the JBOSS Application
Server, the jmx console can be accessed by anybody without providing
any username/password. This is a big security risk as anybody can
perform changes though the jmx and web console. Setting up basic
username/password security for the jboss jmx/web console can be
accomplished by performing the following steps on the JBOSS Application
Server.
1. Edit $JBOSS_HOME/server/all/conf/props/jmx-console-users.properties to add jmx console users. Replace all
with your JBOSS profile name. The syntax to add users is
username=password. By default admin user would be available in this file
with admin as password.
Ex : sysadmin=Password007 ## This configuration will create a new jmx and web console user as sysadmin and set the password as Password007
2. To provide admin privileges on jmx and web console to the newly created user, edit jmx-console-roles.properties file available in $JBOSS_HOME/server/all/conf/props folder and add username=JBossAdmin.
Ex : sysadmin=JBossAdmin ## This configuration will provide admin privileges to sysadmin user on jmx and web console.
3.
Edit
$JBOSS_HOME/server/all/deploy/jmx-console.war/WEB-INF/jboss-web.xml file
and uncomment the security domain as shown below.
<jboss-web>
<security-domain>
java:/jaas/jmx-console
</security-domain>
</jboss-web>
4. Edit $JBOSS_HOME/server/all/deploy/jmx-console.war/WEB-INF/web.xml file and uncomment the security constraint as shown below.
<security-constraint>
<web-resource-collection>
<web-resource-name>
HtmlAdaptor
</web-resource-name>
<description>
An example security config that only allows
users with the role JBossAdmin to access the
HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
5. The location, path or name of the
users and roles configuration files i.e. jmx-console-users.properties or
jmx-console-roles.properties can be changed by editing $JBOSS_HOME/server/all/conf/login- -config.xml file. Sample configuration is given below.
<application-policy name=”jmx-console”>
<authentication>
<login-module code=
“org.jboss.security.auth.spi.UsersRolesLoginModule”
flag=”required”>
<module-option name=”usersProperties”>
props/jmx-console-users.properties
</module-option>
<module-option name=”rolesProperties”>
props/jmx-console-roles.properties
</module-option>
</login-module>
</authentication>
</application-policy>
6.
Edit $JBOSS_HOME/server/all/deploy/management/console-mgr.sar/
web-console.war/WEB-INF/jboss-web.xml file and remove the comment of the
security domain as shown below.
<jboss-web>
<security-domain>java:/jaas/web-console</security-domain>
<depends>jboss.admin:service=PluginManager</depends>
</jboss-web>
7. Edit
$JBOSS_HOME/server/all/deploy/management/console-mgr.sar/
web-console.war/WEB-INF/web.xml file and remove the comment of the
security constraint as shown below.
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows
users with the role JBossAdmin to access the
HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
8. Restart JBOSS.
0 comments:
Post a Comment