Securing the JMX Console and Web Console

Both the jmx-console and web-console are standard servlet 2.3 deployments and can be secured using J2EE role based security. Both also have a skeleton setup to allow one to easily enable security using username/password/role mappings found in the jmx-console.war and web-console.war deployments in the corresponding WEB-INF/classes users.properties and roles.properties files.

The security setup is based on two pieces, the standard WEB-INF/web.xml servlet URI to role specification, and the WEB-INF/jboss-web.xml specification of the JAAS configuration which defines how authentication and role mapping is performed.

To secure the JMX Console using a username/password file -

  • Locate the jmx-console.war directory. This will normally be in server/default/deploy in your JBOSS_HOME directory.  (pico jboss/server/default/deploy/ management/console-mgr.sar/web-console.war/WEB-INF/web.xml )
  • edit WEB-INF/web.xml and uncomment the security-constraint block
  • edit WEB-INF/classes/jmx-console-users.properties or server/default/conf/props/jmx-console-users.properties (version >=4.0.2) and WEB-INF/classes/jmx-console-roles.properties or server/default/conf/props/jmx-console-roles.properties (version >=4.0.2) and change the users and passwords to what you desire. They will need the JBossAdmin role specified in the web.xml file to run the JMX Console.
  • edit WEB-INF/jboss-web.xml and uncomment the security-domain block. The security-domain value of jmx-console maps is declared in the login-config.xml JAAS configuration file which defines how authentication and authorization is done.

To secure the JMX Console using your own JAAS domain -

  • edit WEB-INF/web.xml as above, uncommenting the security-constraint block. Change the role-name value to be the role in your domain that can access the console
  • edit WEB-INF/jboss-web.xml as above, setting the security domain to be the name of your security domain. For example, if your login-config.xml has an application-policy whose name is MyDomain then your JAAS domain java:/jaas/MyDomain
  • after making all the changes, redeploy the application. The application can be redeployed by touching the web.xml file or by restarting the server

The process to secure the web console is similar. In the deploy directory, locate management/web-console.war and make the same changes as above to to WEB-INF/web.xml, WEB-INF/jboss-web.xml and the users/groups properties file. The default JAAS domain used by the web-console is java:/jaas/web-console and is defined in login-config.xml in the conf directory. You can use a custom JAAS domain or custimize the existing domain in the same way as with the JMX console. Typically you would just use the same domain (java:/jaas/jmx-console) as the jmx-console so that you have a single user/role mapping to configurue.

If you find as I did with 3.2.5 that I couldn’t log in, another users.properties is most likely being picked up. Change the web-console login-config.xml entry so that that properties files are uniquely named to avoid ambiguity with which resource is picked up. You also would need to rename the web-console properties files. (see http://www.jboss.org/index.html?module=bb&op=viewtopic&t=53346 )

As an extra level of security you may also want to LimitAccessToCertainClients in a particular IP address range.

Enabling authentication to the RMIAdaptor service

Since 3.2.4, the JMX Detached Invoker Service which provides the RMIAdaptor interface into the MBeanServer has supported JAAS authentication of callers.
Note, there is a bug in the 4.0.x implementation that is fixed in 4.0.5 GA.
To enable this:
- in JBossAS 4.0.x, edit jmx-invoker-service.xml
- in JBossAS 3.2.x, edit jmx-invoker-adaptor-server.sar/META-INF/jboss-service.xml
and uncomment the descriptors section of the invoke operation:

         <operation>
            <description>The detached invoker entry point</description>
            <name>invoke</name>
            <parameter>
               <description>The method invocation context</description>
               <name>invocation</name>
               <type>org.jboss.invocation.Invocation</type>
            </parameter>
            <return-type>java.lang.Object</return-type>
            <!-- Uncomment to require authenticated users -->
            <descriptors>
               <interceptors>
                  <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
                     securityDomain="java:/jaas/jmx-console"/>
               </interceptors>
            </descriptors>
         </operation>

The value of the securityDomain attribute maps to the security domain name found in the conf/login-config.xml definitions the same way as the jboss.xml, jboss-web.xml security-domain elements do. In this case the jmx-console security domain configuration is being used.

courtesy:  http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss