[jboss-user] Re: Securing JBoss jmx-console and web-console for JBoss 4.0
samk at twinix.com
samk at twinix.com
Wed Mar 12 14:09:19 EDT 2008
See Thread at: http://www.techienuggets.com/Detail?tx=9 Posted on behalf of a User
How to encrypt the password for jmx-console and web-console?
I use the follow command to encrypt the password. But where should I put the encrypted password? What changes do I need to make?
java -cp lib\jboss-common.jar;server\default\lib\jbosssx.jar;server\default\lib\jboss-jca.jar org.jboss.resource.security.SecureIdentityLoginModule production
Thanks!
In Response To:
Out of the box jmx-console and the web console are accessable to anyone who can access your server via
the following url: http://yourserver:8080/jmx-console. The good news is that both jmx-console and web-console
are standard servlet so they can be protected easily by enabling the security-constraint. Our example
uses the default server model.
1. edit \server\default\deploy\jmx-console.war\WEB-INF\web.xml and uncomment the security-constraint
<!-- A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console. -->
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JBoss JMX Console</realm-name>
</login-config>
<security-role>
<role-name>JBossAdmin</role-name>
</security-role>
2. Edit \server\default\deploy\jmx-console.war\WEB-INF\jboss-web.xml. Uncomment the following block:
<jboss-web>
<!-- Uncomment the security-domain to enable security. You will
need to edit the htmladaptor login configuration to setup the
login modules used to authentication users.-->
<security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>
3. Edit \server\default\conf\props\jmx-console-roles.properties
4. Edit \server\default\conf\props\jmx-console-users.properties
The only change above should be to jmx-console-users.properties, i.e, set a password.
5. While you are in directory make copies of the two jmx-console properties files and call them web-console-roles.properties
and web-console-users.prperties respectively.
6. The property files for web-console currently exist under \server\default\deploy\management\console-mgr.sar\web-console.war\WEB-INF\classes.
I would rename these files.
7. edit \server\default\conf\login-config.xml
<application-policy name = "web-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">props/web-console-users.properties</module-option>
<module-option name="rolesProperties">props/web-console-roles.properties</module-option>
</login-module>
</authentication>
</application-policy
In the above you need to add the props/ because this is missing in the original file. If you do not do
this the login procedure will look for the properties file under
web-console.war\WEB-INF\classes and if you have not renamed the properties file there it will try and
use those.
Remember to bounce JBoss after you are done.
More information about the jboss-user
mailing list