{"id":813,"date":"2009-04-29T10:15:08","date_gmt":"2009-04-29T15:15:08","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=813"},"modified":"2011-06-21T09:52:19","modified_gmt":"2011-06-21T14:52:19","slug":"secure-jboss-jmx-and-web-consoles","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=813","title":{"rendered":"Secure JBoss 4.x JMX and Web Consoles"},"content":{"rendered":"

JBoss 4.x JMX and Web Consoles default to security disabled. See here<\/a> for details on how to enable security.<\/p>\n

Here is the gist of it.<\/p>\n

Secure JMX Console<\/h3><\/span>\n

Edit $JBOSS_HOME\/server\/default\/deploy\/jmx-console.war\/WEB-INF\/web.xml <\/strong>
\n* Uncomment the security-constraint block;<\/p>\n

\r\n   \r\n     \r\n       HtmlAdaptor<\/web-resource-name>\r\n       An example security config that only allows users with the\r\n         role JBossAdmin to access the HTML JMX console web application\r\n       <\/description>\r\n       \/*<\/url-pattern>\r\n       GET<\/http-method>\r\n       POST<\/http-method>\r\n     <\/web-resource-collection>\r\n     \r\n       JBossAdmin<\/role-name>\r\n     <\/auth-constraint>\r\n   <\/security-constraint>\r\n\r\n   \r\n      BASIC<\/auth-method>\r\n      JBoss JMX Console<\/realm-name>\r\n   <\/login-config>\r\n\r\n   \r\n      JBossAdmin<\/role-name>\r\n   <\/security-role>\r\n<\/pre>\n
Edit $JBOSS_HOME\/server\/default\/deploy\/jmx-console.war\/WEB-INF\/jboss-web.xml<\/strong>
\n* Uncomment the security-domain block;
\n* Make sure the JNDI name maps to the realm name (i.e. jmx-console)<\/p>\n
java:\/jaas\/jmx-console<\/security-domain><\/pre>\n
* jmx-console realm is defined in $JBOSS_HOME\/server\/default\/conf\/login-config.xml file:<\/p>\n
\r\n    \r\n       \r\n          \r\n           props\/jmx-console-users.properties<\/module-option>\r\n           props\/jmx-console-roles.properties<\/module-option>\r\n          <\/login-module>\r\n       <\/authentication>\r\n    <\/application-policy>\r\n<\/pre>\n
Edit $JBOSS_HOME\/server\/default\/conf\/props\/jmx-console-users.properties<\/strong>
\n* Change the password for admin<\/p>\n
admin=secret<\/pre>\n
Enable JMX Console HTTPS<\/strong>
\n* Add to $JBOSS_HOME\/server\/default\/deploy\/jmx-console.war\/WEB-INF\/web.xml as last element of secrity-constraint:<\/p>\n
\r\n  \r\n    CONFIDENTIAL<\/transport-guarantee>\r\n  <\/user-data-constraint>\r\n<\/security-constraint><\/pre>\n
* Generate a self signed Java key store in the $JBOSS_HOME\/server\/default\/conf directory:<\/p>\n
keytool.exe -genkey -alias tomcat -keyalg RSA -storepass changeit -keypass changeit -dname \"cn=localhost\" -keystore tomcat.keystore<\/pre>\n
* Modify $JBOSS_HOME\/server\/default\/deploy\/jboss-web.deployer\/server.xml file as shown below:<\/p>\n
\r\n\r\n<\/pre>\n
* Use https:\/\/localhost:8443\/jmx-console\/<\/p>\n
Restart JBoss<\/strong><\/p>\n
Secure Web Console<\/h3><\/span>\n
Securing JBoss web console is similar to securing JMX console. You need to edit web.xml and jboss-web.xml files in the $JBOSS_HOME\/server\/default\/deploy\/management\/console-mgr.sar\/web-console.war\/WEB-INF directory.<\/p>\n
Edit $JBOSS_HOME\/server\/default\/deploy\/management\/console-mgr.sar\/web-console.war\/WEB-INF\/web.xml<\/strong>
\n* Uncomment the security-constraint block;<\/p>\n
   \r\n   \r\n   HtmlAdaptor<\/web-resource-name>\r\n   An example security config that only allows users with the\r\n   role JBossAdmin to access the HTML JMX console web application\r\n   <\/description>\r\n   \/*<\/url-pattern>\r\n   GET<\/http-method>\r\n   POST<\/http-method>\r\n   <\/web-resource-collection>\r\n   \r\n   JBossAdmin<\/role-name>\r\n   <\/auth-constraint>\r\n   <\/security-constraint>\r\n\r\n   \r\n      BASIC<\/auth-method>\r\n      JBoss WEB Console<\/realm-name>\r\n   <\/login-config>\r\n\r\n   \r\n      JBossAdmin<\/role-name>\r\n   <\/security-role><\/pre>\n
Edit JBOSS_HOME\/server\/default\/deploy\/management\/console-mgr.sar\/web-console.war\/WEB-INF\/jboss-web.xml<\/strong>
\n* Uncomment the security-domain block;
\n* Make sure the JNDI name maps to the realm name (i.e. web-console):<\/p>\n
java:\/jaas\/web-console<\/security-domain><\/pre>\n
* Use jmx-console realm if you want both the web console and jmx console use the same security realm:<\/p>\n
java:\/jaas\/jmx-console<\/security-domain><\/pre>\n
* web-console realm is defined in $JBOSS_HOME\/server\/default\/conf\/login-config.xml file. Edit login-config.xml and adjust the path for usersProperties and rolesProperties prefixing values with props\/<\/em> path.<\/p>\n
\r\n    \r\n       \r\n          \r\n             props\/web-console-users.properties<\/module-option>\r\n             props\/web-console-roles.properties<\/module-option>\r\n          <\/login-module>\r\n       <\/authentication>\r\n    <\/application-policy>\r\n<\/pre>\n
If using web-console realm<\/strong>
\n* Create $JBOSS_HOME\/server\/default\/conf\/props\/web-console-users.properties file:<\/p>\n
admin=secret<\/pre>\n
*reate $JBOSS_HOME\/server\/default\/conf\/props\/web-console-roles.properties file:<\/p>\n
admin=JBossAdmin,HttpInvoker<\/pre>\n
Enable Web Console HTTPS<\/strong>
\n* Add to $JBOSS_HOME\/server\/default\/deploy\/management\/console-mgr.sar\/web-console.war\/WEB-INF\/web.xml as last element of secrity-constraint:<\/p>\n
\r\n  \r\n    CONFIDENTIAL<\/transport-guarantee>\r\n  <\/user-data-constraint>\r\n<\/security-constraint><\/pre>\n
* If not done, generate a self signed Java key store in the $JBOSS_HOME\/server\/default\/conf directory:<\/p>\n
keytool.exe -genkey -alias tomcat -keyalg RSA -storepass changeit -keypass changeit -dname \"cn=localhost\" -keystore tomcat.keystore<\/pre>\n
* If not done, Modify $JBOSS_HOME\/server\/default\/deploy\/jboss-web.deployer\/server.xml file as shown below:<\/p>\n
\r\n\r\n<\/pre>\n
* Use https:\/\/localhost:8443\/web-console\/<\/p>\n
Restart JBoss<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"
JBoss 4.x JMX and Web Consoles default to security disabled. See here for details on how to enable security. Here is the gist of it. Secure JMX Console Edit $JBOSS_HOME\/server\/default\/deploy\/jmx-console.war\/WEB-INF\/web.xml * Uncomment the security-constraint block; HtmlAdaptor An example security config … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[30],"tags":[],"class_list":["post-813","post","type-post","status-publish","format-standard","hentry","category-jboss"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-d7","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/813","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=813"}],"version-history":[{"count":15,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/813\/revisions"}],"predecessor-version":[{"id":2590,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/813\/revisions\/2590"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=813"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=813"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=813"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}