Secure JBoss JMX Console
Since JBoss can now be installed from a zip file it comes with a default unsecured jmx-console. This is unacceptable for production so here is the method to secure the jmx-console using http authentication (applies to JBoss 4.2.2.GA).
1. Edit jboss/server/default/deploy/jmx-console.war/WEB-INF/web.xml and uncomment the security-constraint element:
<security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint>
2. Edit jboss/server/default/deploy/jmx-console.war/WEB-INF/web.xml and uncomment the security-domain element:
<security-domain>java:/jaas/jmx-console</security-domain>
3. Edit jboss/server/default/conf/login-config.xml and make sure that you have the definition of the jmx-console authentication-policy
<application-policy name = "jmx-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="usersProperties">props/jmx-console-users.properties</module-option> <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option> </login-module> </authentication> </application-policy>
4. Edit the files jboss/server/default/conf/props/jmx-console-users.properties and jboss/server/default/conf/props/jmx-console-roles.properties to edit your users.
Great guide. However, for step 2.
2. Edit jboss/server/default/deploy/jmx-console.war/WEB-INF/web.xml and uncomment the security-domain element:
java:/jaas/jmx-console
This should be jboss-web.xml and not web.xml