How to secure JMX Console in JBossAS?
JMX Console is a very useful/powerful administration console for JBossAS. I’ve rarely seen admins making full use of it. Irrespective of the usage, I’d recommend that to be kept in the JBoss deploy directory. Fine. Let’s now think towards securing it, which is not often done.
Here’re the step-by-step instructions. I’ve tried this with JBossAS 4.2.2 ad 5.0.1 GA, should work for other versions too.
1. Find the files – web.xml and jboss-web.xml - in jmx-console.war, an exploded archive, available by default, in the deploy directory of any JBoss configuration that you might be running – default, minimal, all, standard, web.
2. Make sure you uncomment the following piece of xml config in the respective files.
i) web.xml<!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console. --> <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint>
ii) jboss-web.xml<!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users.--> <security-domain>java:/jaas/jmx-console</security-domain>
3. Now, you need to add a user with admin role and set password for it. Let’s assume that we’re running JBossAS in default mode.
That’s it. Restart the server, and see if the authentication works for JBoss JMX Console. Of course, there can be lots of tweaks in this, but this’s a basic and a simple solution