[jboss-user] Re: Securing JBoss jmx-console and web-console for JBoss 4.0

samk at twinix.com samk at twinix.com
Wed Mar 12 14:09:19 EDT 2008

See Thread at: http://www.techienuggets.com/Detail?tx=9 Posted on behalf of a User

How to encrypt the password for jmx-console and web-console?

I use the follow command to encrypt the password. But where should I put the encrypted password? What changes do I need to make?

java -cp lib\jboss-common.jar;server\default\lib\jbosssx.jar;server\default\lib\jboss-jca.jar org.jboss.resource.security.SecureIdentityLoginModule production


In Response To: 

Out of the box jmx-console and the web console are accessable to anyone who can access your server via
the following url: http://yourserver:8080/jmx-console. The good news is that both jmx-console and web-console
are standard servlet so they can be protected easily by enabling the security-constraint. Our example
uses the default server model.

1. edit \server\default\deploy\jmx-console.war\WEB-INF\web.xml and uncomment the security-constraint

<!-- A security constraint that restricts access to the HTML JMX console
   to users with the role JBossAdmin. Edit the roles to what you want and
   uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
   secured access to the HTML JMX console. -->

       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application

      <realm-name>JBoss JMX Console</realm-name>


2. Edit \server\default\deploy\jmx-console.war\WEB-INF\jboss-web.xml. Uncomment the following block:

   <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users.-->

3. Edit \server\default\conf\props\jmx-console-roles.properties
4. Edit \server\default\conf\props\jmx-console-users.properties

The only change above should be to jmx-console-users.properties, i.e, set a password.

5. While you are in directory make copies of the two jmx-console properties files and call them web-console-roles.properties
and web-console-users.prperties respectively. 

6. The property files for web-console currently exist under \server\default\deploy\management\console-mgr.sar\web-console.war\WEB-INF\classes.
I would rename these files.

7. edit \server\default\conf\login-config.xml

<application-policy name = "web-console">
          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
             <module-option name="usersProperties">props/web-console-users.properties</module-option>
             <module-option name="rolesProperties">props/web-console-roles.properties</module-option>

In the above you need to add the props/ because this is missing in the original file. If you do not do
this the login procedure will look for the properties file under 
web-console.war\WEB-INF\classes and if you have not renamed the properties file there it will try and
use those.

Remember to bounce JBoss after you are done. 

More information about the jboss-user mailing list