Saturday, August 14, 2010

Securing JBOSS JMX and Web Console


After installing the JBOSS Application Server, the jmx console can be accessed by anybody without providing any username/password. This is a big security risk as anybody can perform changes though the jmx and web console. Setting up basic username/password security for the jboss jmx/web console can be accomplished by performing the following steps on the JBOSS Application Server.
1. Edit $JBOSS_HOME/server/all/conf/props/jmx-console-users.properties to add jmx console users. Replace “all” with your JBOSS profile name. The syntax to add users is username=password. By default admin user would be available in this file with admin as password.
Ex : sysadmin=Password007 — This configuration will create a new jmx and web console user as “sysadmin” and set the password as “Password007″
2. To provide admin privileges on jmx and web console to the newly created user, edit jmx-console-roles.properties file available in $JBOSS_HOME/server/all/conf/props folder and add username=JBossAdmin.
Ex : sysadmin=JBossAdmin — This configuration will provide admin privileges to sysadmin user on jmx and web console.
3. Edit $JBOSS_HOME/server/all/deploy/jmx-console.war/WEB-INF/jboss-web.xml file and uncomment the security domain as shown below.


java:/jaas/jmx-console
4. Edit $JBOSS_HOME/server/all/deploy/jmx-console.war/WEB-INF/web.xml file and uncomment the security constraint as shown below.



HtmlAdaptor


An example security config that only allows
users with the role JBossAdmin to access the
HTML JMX console web application

/*
GET
POST


JBossAdmin
5. The location, path or name of the users and roles configuration files i.e. jmx-console-users.properties or jmx-console-roles.properties can be changed by editing $JBOSS_HOME/server/all/conf/login- -config.xml file. Sample configuration is given below.


“org.jboss.security.auth.spi.UsersRolesLoginModule”
flag=”required”>

props/jmx-console-users.properties


props/jmx-console-roles.properties
6. Edit $JBOSS_HOME/server/all/deploy/management/console-mgr.sar/ web-console.war/WEB-INF/jboss-web.xml file and remove the comment of the security domain as shown below.

java:/jaas/web-console
jboss.admin:service=PluginManager
7. Edit $JBOSS_HOME/server/all/deploy/management/console-mgr.sar/ web-console.war/WEB-INF/web.xml file and remove the comment of the security constraint as shown below.


HtmlAdaptor
An example security config that only allows
users with the role JBossAdmin to access the
HTML JMX console web application

/*
GET
POST


JBossAdmin
8. Restart JBOSS.