Securing the Management Consoles


You've used the JMX Console and Web Console applications extensively throughout the book. Given that you can completely control a JBoss instance through those applications, you might have found it a bit odd that you never had to specify a username and password to access them.

Both applications are accessible to anyone who has access to your server. If you plan to use those applications, you'll need to perform a few configuration steps to get them ready.

How do I do that?

Before we start, it should be obvious that if you don't need the management consoles, you can get rid of them and not need to worry about whether remote users can access them. The JMX Console lives in deploy/jmx-console.war and the Web Console lives in deploy/management. If you remove both of those directories, JBoss will forget all about the management applications.

Unfortunately, by removing those directories you also lose the ability to manage your server through them. In some cases this makes perfect sense, but we think the management consoles are useful enough that you'll want to keep them around.

If you decide you want to keep them around, you'll need to link them to a security domain and apply security to the web applications, just as you did for the ToDo application. To make things easier, JBoss provides preconfigured, but commented out, security declarations that you just need to enable.

In the jmx-console.war directory, you'll need to edit WEB-INF/web.xml by uncommenting the following security constraint:

     <security-constraint>         <web-resource-collection>             <web-resource-name>HtmlAdaptor</web-resource-name>             <description>                  An example security config that only allows users with the                 role JBossAdmin to access the HTML JMX console web application              </description>             <url-pattern>/*</url-pattern>             <http-method>GET</http-method>             <http-method>POST</http-method>         </web-resource-collection>         <auth-constraint>             <role-name>JBossAdmin</role-name>         </auth-constraint>     </security-constraint> 

This restricts the entire JMX Console to users with the JBossAdmin role. If you recall the security discussion in Chapter 5, you'll remember that along with this you'll need to link to the security domain in WEB-INF/jboss-web.xml:

     <jboss-web>         <security-domain>java:/jaas/jmx-console</security-domain>     </jboss-web> 

This security domain is already deployed:

     <application-policy name="jmx-console">         <authentication>             <login-module                 code="org.jboss.security.auth.spi.UsersRolesLoginModule"                flag="required">                 <module-option name="usersProperties">                     props/jmx-console-users.properties                 </module-option>                 <module-option name="rolesProperties">                     props/jmx-console-roles.properties                 </module-option>             </login-module>         </authentication>     </application-policy> 

You saw in Chapter 5 how to replace and customize a security domain. For now, we'll stick with the properties file mechanism. The two properties files mentioned, jmx-console-users.properties andjmx-console-roles.properties, are in the conf/props directory. Keeping the files in a shared location rather than in the web application directory allows you to later share the user information with the Web Console.

The two properties files declare a user named admin whose password is admin. You might want to take the time to change that now. Keeping the default name and password for the JMX Console is nearly as bad as not protecting it at all.

That's all you have to do for the JMX Console. Now we'll make the same changes to the Web Console. You'll have to look all the way down in management/console-mgr.sar/web-console.war/WEB-INF to find the configuration files for the Web Console.

You'll need to uncomment the security constraint in web.xml, and set a security domain in jboss-web.xml. Instead of uncommenting the java:/jaas/web-console security domain currently referenced, set the security domain to java:/jass/jmx-console. This will cause both applications to be authenticated from the same security domain, instead of using two separate logins for the applications.

Although you can redeploy the applications, the fastest way to make the changes take hold is to restart the server.

What just happened?

You added user security to the two management console applications. When you access either of them, JBoss will ask you to log in. The jmx-console-users.properties and jmx-console-roles.properties files in the conf/props directory provide the authentication information, but you can change the authentication details in login-config.xml.

There is still one problem here. If you access the management consoles over normal HTTP, your username and password are sent in the clear. You should enable SSL, as shown in Chapter 5, and always access the application over HTTPS when connecting over a nontrusted network.



JBoss. A Developer's Notebook
JBoss: A Developers Notebook
ISBN: 0596100078
EAN: 2147483647
Year: 2003
Pages: 106

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net