Secure JBoss JMX Console
Since JBoss can now be installed from a zip file it comes with a default unsecured jmx-console. This is unacceptable for production so here is the method to secure the jmx-console using http authentication (applies to JBoss 4.2.2.GA). 1. Edit jboss/server/default/deploy/jmx-console.war/WEB-INF/web.xml and uncomment the security-constraint element: <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> 2....