Saturday, March 20, 2010

Securing JBoss Web Console

The security setup is based on two pieces, the standard WEB-INF/web.xml servlet URI to role specification, and the WEB-INF/jboss-web.xml specification of the JAAS configuration which defines how authentication and role mapping is performed. To secure the Web Console using a username/password file - 
  1. Locate the web-console.war directory in JBoss. This will normally be in <JBOSS Install dir>/server/default/deploy/management/console-mgr.sar directory.  
  2. Edit <JBOSS Install dir>/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml and uncomment the following security-constraint block 


    <!-- A security constraint that restricts access to the HTML JMX console
           to users with the role JBossAdmin. Edit the roles to what you want and
           uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
           secured access to the HTML JMX console. 
       -->
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>JBossAdmin</role-name>
     </auth-constraint>
   </security-constraint>
   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>JBoss JMX Console</realm-name>
   </login-config>
   <security-role>
      <role-name>JBossAdmin</role-name>
   </security-role>
  3. Edit the <JBOSS Install dir>/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-roles.properties and web-console-users.properties, and move those files to <JBOSS Install dir>/server/default/conf/props directory. and change the users and passwords to what you desire. The only change above should be to web-console-users.properties, i.e, set a password.
  4. Edit <JBOSS Install dir>/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml and uncomment the following security-domain block:-

    <jboss-web>
    <!-- Uncomment the security-domain to enable security. You will
           need to edit the htmladaptor login configuration to setup the
           login modules used to authentication users.
         -->
         <security-domain>java:/jaas/jmx-console</security-domain>
     </jboss-web>
  5.  The security-domain value of web-console maps is declared in the login-config.xml JAAS configuration file which defines how authentication and authorization is done. edit <JBOSS Install dir>/server/default/conf/login-config.xml Change the path to the web-console-users.properties and the web-console-roles.properties as follows (add props/ to the front of the path) 
<module-option name="usersProperties">props/web-console-users.properties</module-option>
     <module-option name="rolesProperties">props/web-console-roles.properties</module-option>
    Vocabulary: No comments:

    Securing JBoss jmx-console

    Both the jmx-console and web-console are standard servlet 2.3 deployments and can be secured using J2EE role based security. Both also have a skeleton setup to allow one to easily enable security using username/password/role mappings found in the jmx-console.war and web-console.war deployments in the corresponding WEB-INF/classes users.properties and roles.properties files.

    The security setup is based on two pieces, the standard WEB-INF/web.xml servlet URI to role specification, and the WEB-INF/jboss-web.xml specification of the JAAS configuration which defines how authentication and role mapping is performed.To secure the JMX Console using a username/password file:
    1. Locate the jmx-console.war directory. This will normally be in /server/default/deploy directory.
    2. Edit /server/default/deploy/jmx-console.war/WEB-INF/web.xml and uncomment the following security-constraint block


      A security constraint that restricts access to the HTML JMX console
      to users with the role JBossAdmin. Edit the roles to what you want and
      uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
      secured access to the HTML JMX console. 
      <security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
       <role-name>JBossAdmin</role-name>
    </auth-constraint>
  </security-constraint>
    <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>JBoss JMX Console</realm-name>
    </login-config>
  <security-role>
    <role-name>JBossAdmin</role-name>
  </security-role> 
      

      3. 

    3. Edit /server/default/conf/props/jmx-console-users.properties  (version &gt;=4.0.2) and /server/default/conf/props/jmx-console-roles.properties  (version &gt;=4.0.2) and change the users and passwords to what you  desire. They will need the JBossAdmin role specified in the web.xml file  to run the JMX Console. The only change above should be to jmx-console-users.properties, i.e,  set a password. 
      4. 

    4. Edit /server/default/jmx-console.war/WEB-INF/jboss-web.xml  and uncomment the following security-domain block:- 
      

      <jboss-web>
         <!-- Uncomment the security-domain to enable security. You will
           need to edit the htmladaptor login configuration to setup the
           login modules used to authentication users.
         -->
         <security-domain>java:/jaas/jmx-console</security-domain>
      </jboss-web>
      

      

      5. 

    

    

    

    

    
The security-domain value of jmx-console maps is declared in the login-config.xml JAAS configuration file which defines how authentication and authorization is done. 
    

    

    

    

    

    
Vocabulary:




No comments:
              









    

    


    

    


    

    

    

    

        
    
      

    


    

    

    
Subscribe to:
Posts (Atom)