How to secure JMX Console in JBossAS?


JMX Console is a very useful/powerful administration console for JBossAS.  I’ve rarely seen admins making full use of it. Irrespective of the usage, I’d recommend that to be kept in the JBoss deploy directory. Fine. Let’s now think towards securing it, which is not often done.
Here’re the step-by-step instructions. I’ve tried this with JBossAS 4.2.2 ad 5.0.1 GA, should work for other versions too.

1. Find the files – web.xml and jboss-web.xml - in jmx-console.war, an exploded archive, available by default, in the deploy directory of any JBoss configuration that you might be running – default, minimal, all, standard, web.

2. Make sure you uncomment the following piece of xml config in the respective files.

i) web.xml

   <!-- A security constraint that restricts access to the HTML JMX console
   to users with the role JBossAdmin. Edit the roles to what you want and
   uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
   secured access to the HTML JMX console. -->
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>JBossAdmin</role-name>
     </auth-constraint>
   </security-constraint>

 

ii) jboss-web.xml

      <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users.-->
      <security-domain>java:/jaas/jmx-console</security-domain>

3. Now, you need to add a user with admin role and set password for it. Let’s assume that we’re running JBossAS in default mode.

i) default/conf/jmx-console-roles.properties
sing=JBossAdmin

ii) default/conf/jmx-console-users.properties
sing=singpwd

That’s it. Restart the server, and see if the authentication works for JBoss JMX Console. Of course, there can be lots of tweaks in this, but this’s a basic and a simple solution

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 27 other followers

%d bloggers like this: