Secure JBoss JMX Console

Since JBoss can now be installed from a zip file it comes with a default unsecured jmx-console. This is unacceptable for production so here is the method to secure the jmx-console using http authentication (applies to JBoss 4.2.2.GA).

1. Edit jboss/server/default/deploy/jmx-console.war/WEB-INF/web.xml and uncomment the security-constraint element:

   <security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>JBossAdmin</role-name>
     </auth-constraint>
   </security-constraint>

2. Edit jboss/server/default/deploy/jmx-console.war/WEB-INF/web.xml and uncomment the security-domain element:

<security-domain>java:/jaas/jmx-console</security-domain>

3. Edit jboss/server/default/conf/login-config.xml and make sure that you have the definition of the jmx-console authentication-policy

<application-policy name = "jmx-console">
       <authentication>
          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
           <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
           <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
          </login-module>
       </authentication>
</application-policy>

4. Edit the files jboss/server/default/conf/props/jmx-console-users.properties and jboss/server/default/conf/props/jmx-console-roles.properties to edit your users.

One Response

  1. Great guide. However, for step 2.

    2. Edit jboss/server/default/deploy/jmx-console.war/WEB-INF/web.xml and uncomment the security-domain element:
    java:/jaas/jmx-console

    This should be jboss-web.xml and not web.xml

Leave a Reply

*