The below post illustrates the details steps to protect the JMX Console in JBoss.
The JMX Console is the JBoss Management Console which provides a raw view of the JMX MBeans which make up the server. They can provide a lot of information about the running server and allow you to modify its configuration, start and stop components and so on.
By default the JMX console is not username / password protected. Hence anybody can access the console by running the below URL.
However it is of paramount importance that we secure the JMX Console.
Steps to do so: –
1. Create a user in the default JAAS security domain
a. Edit the file $JBOSS_HOME/server/$PROFILE/conf/props/jmx-console-users.properties.
b. Create a username = password pair.
For Example: anand=anand123
Note: By default it contains an entry for admin=admin which is the default username/password combination. However using the same combination is not encouraged.
2. Grant permissions to user
a. Edit the file $JBOSS_HOME/server/$PROFILE/conf/props/jmx-console-roles.properties.
b. Create an entry for the user of the form:
For Ex: anand= JBossAdmin,HttpInvoker
JBossAdmin : Grant the user permission to access the JMX Console and Admin Console.
HttpInvoker: Grant the user permission to access the httpinvoker
3: Define the <security-constraint> for jmx-console.war
a. Edit the web.xml file under the $JBOSS_HOME/server/$PROFILE/deploy/jmx-console.war/WEB-INF folder.
Make sure that the below entry in uncommented in the web.xml file.
<security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint>
b. Define the User Roles who can access the application.
<security-role> <role-name>JBossAdmin</role-name> </security-role>
4. Define JBoss Security Domain.
a. Edit the jboss-web.xml file under the $JBOSS_HOME/server/$PROFILE/deploy/jmx-console.war/WEB- INF folder
Make sure you specify a security Domain in the jboss-web.xml file.
<jboss-web> <security-domain>java:/jaas/jmx-console</security-domain> </jboss-web>
This complete your configuration settings.
5: Test the setup.
a. Access the application as below
Now you will observe that there is a Basic Authentication Window which prompts for the username / password combination.
Note: Similarly, we can protect the web-console as well.