[jboss-cvs] JBossAS SVN: r105239 - projects/docs/enterprise/trunk/EAP_5.0/JBoss_Security_Guide/en-US.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed May 26 03:23:48 EDT 2010
Author: jaredmorgs
Date: 2010-05-26 03:23:48 -0400 (Wed, 26 May 2010)
New Revision: 105239
Modified:
projects/docs/enterprise/trunk/EAP_5.0/JBoss_Security_Guide/en-US/Revision_History.xml
projects/docs/enterprise/trunk/EAP_5.0/JBoss_Security_Guide/en-US/chap-Consoles_And_Invokers.xml
projects/docs/enterprise/trunk/EAP_5.0/JBoss_Security_Guide/en-US/chap-Firewalls.xml
projects/docs/enterprise/trunk/EAP_5.0/JBoss_Security_Guide/en-US/chap-Secure_Socket_Layer.xml
Log:
minor update before publishing the first draft for review
Modified: projects/docs/enterprise/trunk/EAP_5.0/JBoss_Security_Guide/en-US/Revision_History.xml
===================================================================
--- projects/docs/enterprise/trunk/EAP_5.0/JBoss_Security_Guide/en-US/Revision_History.xml 2010-05-26 06:10:45 UTC (rev 105238)
+++ projects/docs/enterprise/trunk/EAP_5.0/JBoss_Security_Guide/en-US/Revision_History.xml 2010-05-26 07:23:48 UTC (rev 105239)
@@ -6,8 +6,8 @@
<simpara>
<revhistory>
<revision>
- <revnumber> 0.3</revnumber>
- <date>Wed May 19 2010</date>
+ <revnumber> 1.0</revnumber>
+ <date>Wed May 26 2010</date>
<author>
<firstname>Jared </firstname>
<surname>Morgan </surname>
@@ -15,14 +15,10 @@
</author>
<revdescription>
<simplelist>
- <member>Updated Pubsnumber only for demo purposes.</member>
+ <member>Guide in proper format and layout, with editing performed on the guide. Ready for initial comment.</member>
</simplelist>
</revdescription>
</revision>
- </revhistory>
- </simpara>
- <simpara>
- <revhistory>
<revision>
<revnumber> 0.2</revnumber>
<date>Wed May 19 2010</date>
@@ -39,22 +35,4 @@
</revision>
</revhistory>
</simpara>
- <simpara>
- <revhistory>
- <revision>
- <revnumber> 0.1</revnumber>
- <date>Mon Feb 1 2010</date>
- <author>
- <firstname>Jared </firstname>
- <surname>Morgan </surname>
- <email>jmorgan at example.com</email>
- </author>
- <revdescription>
- <simplelist>
- <member>Chapter created for incorporation of Anil's blog posts.</member>
- </simplelist>
- </revdescription>
- </revision>
- </revhistory>
- </simpara>
</appendix>
Modified: projects/docs/enterprise/trunk/EAP_5.0/JBoss_Security_Guide/en-US/chap-Consoles_And_Invokers.xml
===================================================================
--- projects/docs/enterprise/trunk/EAP_5.0/JBoss_Security_Guide/en-US/chap-Consoles_And_Invokers.xml 2010-05-26 06:10:45 UTC (rev 105238)
+++ projects/docs/enterprise/trunk/EAP_5.0/JBoss_Security_Guide/en-US/chap-Consoles_And_Invokers.xml 2010-05-26 07:23:48 UTC (rev 105239)
@@ -8,28 +8,28 @@
<para>
JBoss comes with several admin access points that must be secured or removed to prevent unauthorized access to administrative functions in a deployment. This chapter discusses the various admin services and how to secure them.
</para>
- <section id="sect-The_JMX_Console">
- <title>JMX Console</title>
+ <section id="How_to_Secure_the_JBoss_Server-The_Web_Console">
+ <title>Web Console</title>
<para>
- The <literal>jmx-console.war</literal> found in the deploy directory provides an html view into the JMX microkernel. As such, it provides access to arbitrary admin type access like shutting down the server, stopping services, deploying new services, etc. It should either be secured like any other web application, or removed.
+ The <literal>web-console.war</literal> found in the <filename>deploy/management</filename> directory is another web application view into the JMX microkernel. This uses a combination of an applet and a HTML view and provides the same level of access to admin functionality as the <filename>jmx-console.war</filename>. As such, it should either be secured or removed. The <filename>web-console.war</filename> contains commented out templates for basic security in its <filename>WEB-INF/web.xml</filename> as well as commented out setup for a security domain in <filename>WEB-INF/jboss-web.xml</filename>.
</para>
</section>
- <section id="How_to_Secure_the_JBoss_Server-The_Web_Console">
- <title>Web Console</title>
+ <section id="sect-The_JMX_Console">
+ <title>JMX Console</title>
<para>
- The <literal>web-console.war</literal> found in the <literal>deploy/management</literal> directory is another web application view into the JMX microkernel. This uses a combination of an applet and a HTML view and provides the same level of access to admin functionality as the <literal>jmx-console.war</literal>. As such, it should either be secured or removed. The <literal>web-console.war</literal> contains commented out templates for basic security in its <literal>WEB-INF/web.xml</literal> as well as commented out setup for a security domain in <literal>WEB-INF/jboss-web.xml</literal>.
+ The <filename>jmx-console.war</filename> found in the deploy directory provides an HTML view into the JMX microkernel. As such, it provides access to arbitrary admin type access like shutting down the server, stopping services, deploying new services, etc. It should either be secured like any other web application, or removed.
</para>
</section>
<section id="How_to_Secure_the_JBoss_Server-The_HTTP_Invokers">
<title>HTTP Invokers</title>
<para>
- The <literal>http-invoker.sar</literal> found in the deploy directory is a service that provides RMI/HTTP access for EJBs and the JNDI <literal>Naming</literal> service. This includes a servlet that processes posts of marshalled <literal>org.jboss.invocation.Invocation</literal> objects that represent invocations that should be dispatched onto the <literal>MBeanServer</literal>. Effectively this allows access to MBeans that support the detached invoker operation via HTTP since one could figure out how to format an appropriate HTTP post. To secure this access point you would must secure the <literal>JMXInvokerServlet</literal> servlet found in the <literal>http-invoker.sar/invoker.war/WEB-INF/web.xml</literal> descriptor. There is a secure mapping defined for the <literal>/restricted/JMXInvokerServlet</literal> path by default, one would simply have to remove the other paths and configure the <literal>http-invoker</literal> security domain setup in the <literal>http-invo!
ker.sar/invoker.war/WEB-INF/jboss-web.xml</literal> descriptor.
+ The <filename>http-invoker.sar</filename> found in the deploy directory is a service that provides RMI/HTTP access for EJBs and the JNDI <literal>Naming</literal> service. This includes a servlet that processes posts of marshalled <literal>org.jboss.invocation.Invocation</literal> objects that represent invocations that should be dispatched onto the <literal>MBeanServer</literal>. Effectively this allows access to MBeans that support the detached invoker operation via HTTP since one could figure out how to format an appropriate HTTP post. To secure this access point you would must secure the <literal>JMXInvokerServlet</literal> servlet found in the <filename>http-invoker.sar/invoker.war/WEB-INF/web.xml</filename> descriptor. There is a secure mapping defined for the <filename>/restricted/JMXInvokerServlet</filename> path by default, one would simply have to remove the other paths and configure the <literal>http-invoker</literal> security domain setup in the <filename>ht!
tp-invoker.sar/invoker.war/WEB-INF/jboss-web.xml</filename> descriptor.
</para>
</section>
<section id="How_to_Secure_the_JBoss_Server-The_JMX_Invoker">
<title>JMX Invoker</title>
<para>
- The <literal>jmx-invoker-adaptor-server.sar</literal> is a service that exposes the JMX MBeanServer interface via an RMI compatible interface using the RMI/JRMP detached invoker service. The only way for this service to be secured currently would be to switch the protocol to RMI/HTTP and secure the <literal>http-invoker.sar</literal> as described in the previous section. In the future this service will be deployed as an XMBean with a security interceptor that supports role based access checks.
+ The <filename>jmx-invoker-adaptor-server.sar</filename> is a service that exposes the JMX MBeanServer interface via an RMI compatible interface using the RMI/JRMP detached invoker service. The only way for this service to be secured currently would be to switch the protocol to RMI/HTTP and secure the <filename>http-invoker.sar</filename> as described in the previous section. In the future this service will be deployed as an XMBean with a security interceptor that supports role based access checks.
</para>
</section>
</chapter>
Modified: projects/docs/enterprise/trunk/EAP_5.0/JBoss_Security_Guide/en-US/chap-Firewalls.xml
===================================================================
--- projects/docs/enterprise/trunk/EAP_5.0/JBoss_Security_Guide/en-US/chap-Firewalls.xml 2010-05-26 06:10:45 UTC (rev 105238)
+++ projects/docs/enterprise/trunk/EAP_5.0/JBoss_Security_Guide/en-US/chap-Firewalls.xml 2010-05-26 07:23:48 UTC (rev 105239)
@@ -26,56 +26,56 @@
<entry> 1098 </entry>
<entry> TCP </entry>
<entry>
- <literal>org.jboss.naming.NamingService</literal>
+ <classname>org.jboss.naming.NamingService</classname>
</entry>
</row>
<row>
<entry> 1099 </entry>
<entry> TCP </entry>
<entry>
- <literal>org.jboss.naming.NamingService</literal>
+ <classname>org.jboss.naming.NamingService</classname>
</entry>
</row>
<row>
<entry> 4444 </entry>
<entry> TCP </entry>
<entry>
- <literal>org.jboss.invocation.jrmp.server.JRMPInvoker</literal>
+ <classname>org.jboss.invocation.jrmp.server.JRMPInvoker</classname>
</entry>
</row>
<row>
<entry> 4445 </entry>
<entry> TCP </entry>
<entry>
- <literal>org.jboss.invocation.pooled.server.PooledInvoker</literal>
+ <classname>org.jboss.invocation.pooled.server.PooledInvoker</classname>
</entry>
</row>
<row>
<entry> 8009 </entry>
<entry> TCP </entry>
<entry>
- <literal>org.jboss.web.tomcat.tc4.EmbeddedTomcatService</literal>
+ <classname>org.jboss.web.tomcat.tc4.EmbeddedTomcatService</classname>
</entry>
</row>
<row>
<entry> 8080 </entry>
<entry> TCP </entry>
<entry>
- <literal>org.jboss.web.tomcat.tc4.EmbeddedTomcatService</literal>
+ <classname>org.jboss.web.tomcat.tc4.EmbeddedTomcatService</classname>
</entry>
</row>
<row>
<entry> 8083 </entry>
<entry> TCP </entry>
<entry>
- <literal>org.jboss.web.WebService</literal>
+ <classname>org.jboss.web.WebService</classname>
</entry>
</row>
<row>
<entry> 8093 </entry>
<entry> TCP </entry>
<entry>
- <literal>org.jboss.mq.il.uil2.UILServerILService</literal>
+ <classname>org.jboss.mq.il.uil2.UILServerILService</classname>
</entry>
</row>
</tbody>
@@ -99,49 +99,49 @@
<entry> 1100 </entry>
<entry> TCP </entry>
<entry>
- <literal>org.jboss.ha.jndi.HANamingService</literal>
+ <classname>org.jboss.ha.jndi.HANamingService</classname>
</entry>
</row>
<row>
<entry> 1101 </entry>
<entry> TCP </entry>
<entry>
- <literal>org.jboss.ha.jndi.HANamingService</literal>
+ <classname>org.jboss.ha.jndi.HANamingService</classname>
</entry>
</row>
<row>
<entry> 1102 </entry>
<entry> UDP </entry>
<entry>
- <literal>org.jboss.ha.jndi.HANamingService</literal>
+ <classname>org.jboss.ha.jndi.HANamingService</classname>
</entry>
</row>
<row>
<entry> 1161 </entry>
<entry> UDP </entry>
<entry>
- <literal>org.jboss.jmx.adaptor.snmp.agent.SnmpAgentService</literal>
+ <classname>org.jboss.jmx.adaptor.snmp.agent.SnmpAgentService</classname>
</entry>
</row>
<row>
<entry> 1162 </entry>
<entry> UDP </entry>
<entry>
- <literal>org.jboss.jmx.adaptor.snmp.trapd.TrapdService</literal>
+ <classname>org.jboss.jmx.adaptor.snmp.trapd.TrapdService</classname>
</entry>
</row>
<row>
<entry> 3528 </entry>
<entry> TCP </entry>
<entry>
- <literal>org.jboss.invocation.iiop.IIOPInvoker</literal>
+ <classname>org.jboss.invocation.iiop.IIOPInvoker</classname>
</entry>
</row>
<row>
<entry> 4447 </entry>
<entry> TCP </entry>
<entry>
- <literal>org.jboss.invocation.jrmp.server.JRMPInvokerHA</literal>
+ <classname>org.jboss.invocation.jrmp.server.JRMPInvokerHA</classname>
</entry>
</row>
<row>
@@ -152,7 +152,7 @@
</footnote></entry>
<entry> UDP </entry>
<entry>
- <literal>org.jboss.ha.framework.server.ClusterPartition</literal>
+ <classname>org.jboss.ha.framework.server.ClusterPartition</classname>
</entry>
</row>
</tbody>
Modified: projects/docs/enterprise/trunk/EAP_5.0/JBoss_Security_Guide/en-US/chap-Secure_Socket_Layer.xml
===================================================================
--- projects/docs/enterprise/trunk/EAP_5.0/JBoss_Security_Guide/en-US/chap-Secure_Socket_Layer.xml 2010-05-26 06:10:45 UTC (rev 105238)
+++ projects/docs/enterprise/trunk/EAP_5.0/JBoss_Security_Guide/en-US/chap-Secure_Socket_Layer.xml 2010-05-26 07:23:48 UTC (rev 105239)
@@ -70,8 +70,7 @@
</section>
<section>
<title id="Adding_SSL_to_EJB3_Setting_up_the_SSL_transport">Configure SSL Transport</title>
- <para>
- The simplest way to define an SSL transport is to define a new Remoting connector using the <literal>sslsocket</literal> protocol as follows. This transport will listen on port 3843.
+ <para>The simplest way to define an SSL transport is to define a new Remoting connector using the <literal>sslsocket</literal> protocol as follows. This transport will listen on port 3843.
</para>
<example>
@@ -92,7 +91,7 @@
</mbean>
</programlisting>
</example>
- <para>You must now define the keystore location that JBoss Remoting where to find the keystore to be used for SSL and its password. This is done using <literal>javax.net.ssl.keyStore</literal> and <literal>javax.net.ssl.keyStorePassword=opensource</literal> system properties when starting JBoss, as the following example shows:
+ <para>You must now define the keystore location, and password, that JBoss Remoting uses for SSL. This is done using <literal>javax.net.ssl.keyStore</literal> and <literal>javax.net.ssl.keyStorePassword=opensource</literal> system properties when starting JBoss, as the following example shows:
</para>
<screen>[home]$ cd [install_directory]/bin
@@ -101,8 +100,7 @@
</section>
<section id="Adding_SSL_to_EJB3_Configuring_your_beans">
<title>Configure SSL Transport for Beans</title>
- <para>
- By default all the beans will use the default connector on <literal>socket://0.0.0.0:3873</literal>. By using the <literal>@org.jboss.annotation.ejb.RemoteBinding</literal> annotation you can have the bean invokable via SSL.
+ <para>All beans will use the default connector on <literal>socket://0.0.0.0:3873</literal>. By using the <literal>@org.jboss.annotation.ejb.RemoteBinding</literal> annotation you can make the bean invokable via SSL.
<programlisting language="Java" role="JAVA">
@RemoteBinding(clientBindUrl="sslsocket://0.0.0.0:3843", jndiBinding="StatefulSSL"),
@Remote(BusinessInterface.class)
@@ -112,8 +110,7 @@
}
</programlisting>
</para>
- <para>
- This bean will be bound under the JNDI name <literal>StatefulSSL</literal> and the proxy implementing the remote interface returned to the client will communicate with the server via SSL.
+ <para>This bean will be bound under the JNDI name <literal>StatefulSSL</literal> and the proxy implementing the remote interface returned to the client will communicate with the server via SSL.
</para>
<para>
You can also enable different types of communication for your beans
@@ -153,15 +150,14 @@
</section>
<section id="Adding_SSL_to_EJB2.1_Setting_up_the_SSL_transport">
<title>Configure SSL Transport</title>
- <para>
-Now you must tell JBoss Remoting where to find the keystore to be used for SSl and its password. This is done using <literal>javax.net.ssl.keyStore</literal> and <literal>javax.net.ssl.keyStorePassword=opensource</literal> system properties when starting JBoss, as the following example shows:
+ <para>You must now define the keystore location, and password, that JBoss Remoting uses for SSL. This is done using <literal>javax.net.ssl.keyStore</literal> and <literal>javax.net.ssl.keyStorePassword=opensource</literal> system properties when starting JBoss, as the following example shows:
</para>
<screen>[home]$ cd <replaceable>[install_directory]</replaceable>/bin
[bin]$ run -Djavax.net.ssl.keyStore=../server/production/conf/localhost.keystore
-Djavax.net.ssl.keyStorePassword=opensource</screen>
<para>
- If you wish to customize the SSLSocketBuilder you must add the following to your <literal><replaceable>[install_directory]</replaceable>/server/<replaceable>$SERVERS</replaceable>/conf/jboss-service.xml</literal> file.
+ To customize the SSLSocketBuilder, you must add the following to your <filename><replaceable>[install_directory]</replaceable>/server/<replaceable>$SERVERS</replaceable>/conf/jboss-service.xml</filename> file.
<programlisting language="XML" role="XML">
<!-- This section is for custom (SSL) server socket factory -->
<mbean code="org.jboss.remoting.security.SSLSocketBuilder"
@@ -202,10 +198,8 @@
<section id="Adding_SSL_to_EJB2.1_configuring_your_beans">
<title>Configure SSL Transport for Beans</title>
<para>
- In your <literal>$JBOSS_HOME/server/${serverConf}/conf/jboss-service.xml</literal> file, comment out the following lines:
+ In your <filename>$JBOSS_HOME/server/${serverConf}/conf/jboss-service.xml</filename> file, update the code to reflect the information below:
- and add the following in it's place:
-
</para>
<programlisting language="XML" role="XML">
<mbean code="org.jboss.remoting.transport.Connector"
More information about the jboss-cvs-commits
mailing list