How to secure JMX Console in JBossAS?


JMX Console is a very useful/powerful administration console for JBossAS.  I’ve rarely seen admins making full use of it. Irrespective of the usage, I’d recommend that to be kept in the JBoss deploy directory. Fine. Let’s now think towards securing it, which is not often done.
Here’re the step-by-step instructions. I’ve tried this with JBossAS 4.2.2 ad 5.0.1 GA, should work for other versions too.

1. Find the files – web.xml and jboss-web.xml - in jmx-console.war, an exploded archive, available by default, in the deploy directory of any JBoss configuration that you might be running – default, minimal, all, standard, web.

2. Make sure you uncomment the following piece of xml config in the respective files.

i) web.xml 

   <!-- A security constraint that restricts access to the HTML JMX console
   to users with the role JBossAdmin. Edit the roles to what you want and
   uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
   secured access to the HTML JMX console. -->
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>JBossAdmin</role-name>
     </auth-constraint>
   </security-constraint>

 

ii) jboss-web.xml

      <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users.-->
      <security-domain>java:/jaas/jmx-console</security-domain>

3. Now, you need to add a user with admin role and set password for it. Let’s assume that we’re running JBossAS in default mode.

i) default/conf/jmx-console-roles.properties
sing=JBossAdmin

ii) default/conf/jmx-console-users.properties
sing=singpwd

That’s it. Restart the server, and see if the authentication works for JBoss JMX Console. Of course, there can be lots of tweaks in this, but this’s a basic and a simple solution

About these ads

About this entry

You’re currently reading “How to secure JMX Console in JBossAS?,” an entry on Singaram's Tech Musings

Published:
January 23, 2011 / 8:04 PM
Category:
Application Security, Java Application Servers, JBoss
Tags:
, , ,