Securing JBoss JMX Console

The below post illustrates the details steps to protect the JMX Console in JBoss.

The JMX Console is the JBoss Management Console which provides a raw view of the JMX MBeans which make up the server. They can provide a lot of information about the running server and allow you to modify its configuration, start and stop components and so on.

By default the JMX console is not username / password protected. Hence anybody can access the console by running the below URL.

http://<Host>:<Port>/jmx-console

However it is of paramount importance that we secure the JMX Console.

Steps to do so: –

1. Create a user in the default JAAS security domain

a. Edit the file $JBOSS_HOME/server/$PROFILE/conf/props/jmx-console-users.properties.

b. Create a usernamepassword pair.

For Example:  anand=anand123

Note: By default it contains an entry for admin=admin which is the default username/password combination. However using the same combination is not encouraged.

2. Grant permissions to user

a. Edit the file $JBOSS_HOME/server/$PROFILE/conf/props/jmx-console-roles.properties.

b. Create an entry for the user of the form:

username=JBossAdmin,HttpInvoker

For Ex: anand= JBossAdmin,HttpInvoker

 

JBossAdmin  : Grant the user permission to access the JMX Console and Admin Console.

HttpInvoker: Grant the user permission to access the httpinvoker

 

3: Define the <security-constraint> for jmx-console.war

a. Edit the web.xml file under the  $JBOSS_HOME/server/$PROFILE/deploy/jmx-console.war/WEB-INF folder.

Make sure that the below entry in uncommented in the web.xml file.

 

<security-constraint>

<web-resource-collection>

<web-resource-name>HtmlAdaptor</web-resource-name>

<description>An example security config that only allows users with the

role JBossAdmin to access the HTML JMX console web application

</description>

<url-pattern>/*</url-pattern>

<http-method>GET</http-method>

<http-method>POST</http-method>

</web-resource-collection>

<auth-constraint>

<role-name>JBossAdmin</role-name>

</auth-constraint>

</security-constraint>

 

b. Define the User Roles who can access the application.

 

<security-role>

<role-name>JBossAdmin</role-name>

</security-role>

 

4. Define  JBoss Security Domain.

a. Edit the jboss-web.xml  file under the  $JBOSS_HOME/server/$PROFILE/deploy/jmx-console.war/WEB- INF folder

Make sure you specify a security Domain in the jboss-web.xml file.

 

<jboss-web>

<security-domain>java:/jaas/jmx-console</security-domain>

</jboss-web>

 

This complete your configuration settings.

5: Test the setup.

a.  Access the application as below

http://<host>:<port>/jmx-console

Now you will observe that there is a Basic Authentication Window which prompts for the username / password                  combination.

Note: Similarly, we can protect the web-console as well.

Further reading:

http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Installation_Guide/Post_Installation_Configuration.html#id3772309

 

Cheers,

Wonders Team.:)

Leave a Reply