JBoss 4.x JMX and Web Consoles default to security disabled. See here for details on how to enable security.
Here is the gist of it.
Secure JMX Console
Edit $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml
* Uncomment the security-constraint block;
<security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>JBoss JMX Console</realm-name> </login-config> <security-role> <role-name>JBossAdmin</role-name> </security-role>
Edit $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml
* Uncomment the security-domain block;
* Make sure the JNDI name maps to the realm name (i.e. jmx-console)
<security-domain>java:/jaas/jmx-console</security-domain>
* jmx-console realm is defined in $JBOSS_HOME/server/default/conf/login-config.xml file:
<application-policy name = "jmx-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="usersProperties">props/jmx-console-users.properties</module-option> <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option> </login-module> </authentication> </application-policy>
Edit $JBOSS_HOME/server/default/conf/props/jmx-console-users.properties
* Change the password for admin
admin=secret
Enable JMX Console HTTPS
* Add to $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml as last element of secrity-constraint:
<user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
* Generate a self signed Java key store in the $JBOSS_HOME/server/default/conf directory:
keytool.exe -genkey -alias tomcat -keyalg RSA -storepass changeit -keypass changeit -dname "cn=localhost" -keystore tomcat.keystore
* Modify $JBOSS_HOME/server/default/deploy/jboss-web.deployer/server.xml file as shown below:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="${jboss.server.home.dir}/conf/tomcat.keystore" keystorePass="changeit" />
* Use https://localhost:8443/jmx-console/
Restart JBoss
Secure Web Console
Securing JBoss web console is similar to securing JMX console. You need to edit web.xml and jboss-web.xml files in the $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF directory.
Edit $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
* Uncomment the security-constraint block;
<security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>JBoss WEB Console</realm-name> </login-config> <security-role> <role-name>JBossAdmin</role-name> </security-role>
Edit JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml
* Uncomment the security-domain block;
* Make sure the JNDI name maps to the realm name (i.e. web-console):
<security-domain>java:/jaas/web-console</security-domain>
* Use jmx-console realm if you want both the web console and jmx console use the same security realm:
<security-domain>java:/jaas/jmx-console</security-domain>
* web-console realm is defined in $JBOSS_HOME/server/default/conf/login-config.xml file. Edit login-config.xml and adjust the path for usersProperties and rolesProperties prefixing values with props/ path.
<application-policy name = "web-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="usersProperties">props/web-console-users.properties</module-option> <module-option name="rolesProperties">props/web-console-roles.properties</module-option> </login-module> </authentication> </application-policy>
If using web-console realm
* Create $JBOSS_HOME/server/default/conf/props/web-console-users.properties file:
admin=secret
*reate $JBOSS_HOME/server/default/conf/props/web-console-roles.properties file:
admin=JBossAdmin,HttpInvoker
Enable Web Console HTTPS
* Add to $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml as last element of secrity-constraint:
<user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
* If not done, generate a self signed Java key store in the $JBOSS_HOME/server/default/conf directory:
keytool.exe -genkey -alias tomcat -keyalg RSA -storepass changeit -keypass changeit -dname "cn=localhost" -keystore tomcat.keystore
* If not done, Modify $JBOSS_HOME/server/default/deploy/jboss-web.deployer/server.xml file as shown below:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="${jboss.server.home.dir}/conf/tomcat.keystore" keystorePass="changeit" />
* Use https://localhost:8443/web-console/
Restart JBoss