JBoss Security Archive

Securing JBoss JMX Console

The below post illustrates the details steps to protect the JMX Console in JBoss.

The JMX Console is the JBoss Management Console which provides a raw view of the JMX MBeans which make up the server. They can provide a lot of information about the running server and allow you to modify its configuration, start and stop components and so on.

By default the JMX console is not username / password protected. Hence anybody can access the console by running the below URL.

http://<Host>:<Port>/jmx-console

However it is of paramount importance that we secure the JMX Console.

Steps to do so: –

1. Create a user in the default JAAS security domain

a. Edit the file $JBOSS_HOME/server/$PROFILE/conf/props/jmx-console-users.properties.

b. Create a usernamepassword pair.

For Example:  anand=anand123

Note: By default it contains an entry for admin=admin which is the default username/password combination. However using the same combination is not encouraged.

2. Grant permissions to user

a. Edit the file $JBOSS_HOME/server/$PROFILE/conf/props/jmx-console-roles.properties.

b. Create an entry for the user of the form:

username=JBossAdmin,HttpInvoker

For Ex: anand= JBossAdmin,HttpInvoker

 

JBossAdmin  : Grant the user permission to access the JMX Console and Admin Console.

HttpInvoker: Grant the user permission to access the httpinvoker

 

3: Define the <security-constraint> for jmx-console.war

a. Edit the web.xml file under the  $JBOSS_HOME/server/$PROFILE/deploy/jmx-console.war/WEB-INF folder.

Make sure that the below entry in uncommented in the web.xml file.

 

<security-constraint>

<web-resource-collection>

<web-resource-name>HtmlAdaptor</web-resource-name>

<description>An example security config that only allows users with the

role JBossAdmin to access the HTML JMX console web application

</description>

<url-pattern>/*</url-pattern>

<http-method>GET</http-method>

<http-method>POST</http-method>

</web-resource-collection>

<auth-constraint>

<role-name>JBossAdmin</role-name>

</auth-constraint>

</security-constraint>

 

b. Define the User Roles who can access the application.

 

<security-role>

<role-name>JBossAdmin</role-name>

</security-role>

 

4. Define  JBoss Security Domain.

a. Edit the jboss-web.xml  file under the  $JBOSS_HOME/server/$PROFILE/deploy/jmx-console.war/WEB- INF folder

Make sure you specify a security Domain in the jboss-web.xml file.

 

<jboss-web>

<security-domain>java:/jaas/jmx-console</security-domain>

</jboss-web>

 

This complete your configuration settings.

5: Test the setup.

a.  Access the application as below

http://<host>:<port>/jmx-console

Now you will observe that there is a Basic Authentication Window which prompts for the username / password                  combination.

Note: Similarly, we can protect the web-console as well.

Further reading:

http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Installation_Guide/Post_Installation_Configuration.html#id3772309

 

Cheers,

Wonders Team.:)