United States (change)
Shortcuts: Downloads Fedora Red Hat Network
Account Links: Cart Your Account Logout
If Jboss services need to listen on external IPs that may be visible to unauthorized users, it is recommended that authentication is enabled on services like rmi-http, jmx-console, and web-console. Failure to do so could result in exposing administrative services on the JBoss installation to malicious users and this could result in Denial of Service (DoS) attacks.
To secure the above mentioned services:
Note: In the instructions below, [configuration] refers to the configuration used by the install (i.e. default, minimal or any custom configuration created by the administrator). These instructions should be followed for all configurations that are planned for use. All specified paths are relative to $JBOSS_HOME, /var/lib/jbossas by default.
Edit the following web.xml files to uncomment out the security-constraint sections:
The following fragment should be uncommented:
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows
users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
Ensure the following jboss-web.xml files use a security domain:
The above file should have something like the following XML fragment:
<jboss-web>
<!-- Uncomment the security-domain to enable security. You will
need to edit the htmladaptor login configuration to setup the
login modules used to authentication users.
-->
<security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>
The server/<configuration>/deploy/http-invoker.sar/invoker.war/WEB-INF/web.xml or server/<configuration>/deploy/httpha-invoker.sar/invoker.war/WEB-INF/web.xml , depending on which server configuration is being run) file needs to have JNDIFactory, EJBInvokerServlet, and JMXInvokerServlet added to the security realm.
i.e. the security-constraint element should look as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>HttpInvokers</web-resource-name>
<description>An example security config that only allows
users with the
role HttpInvoker to access the HTTP invoker servlets
</description>
<url-pattern>/restricted/*</url-pattern>
<url-pattern>/JNDIFactory/*</url-pattern>
<url-pattern>/EJBInvokerServlet/*</url-pattern>
<url-pattern>/JMXInvokerServlet/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>HttpInvoker</role-name>
</auth-constraint>
</security-constraint>
Also ensure the corresponding jboss-web.xml file has a security domain associated. e.g. it should contain something like the following:
<jboss-web>
<security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>
Binding the JMX invoker to localhost - *HIGHLY RECOMMENDED*:
It is recommended that the jmx-invoker be bound specifically to localhost only. Do it as follows:
In server/<configuration>/conf/jboss-service.xml, look for RMI/JRMP invoker section and update ServerAddress to be localhost. The section should then look something like:
<!-- RMI/JRMP invoker -->
<mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
name="jboss:service=invoker,type=jrmp">
<attribute name="RMIObjectPort">4444</attribute>
<attribute name="ServerAddress">localhost</attribute>
....
In server/<configuration>/deploy/jmx-invoker-service.xml Add the following lines inside the <server> section:
<!-- A pooled invoker bound to localhost -->
<mbean code="org.jboss.invocation.pooled.server.PooledInvoker"
name="jboss:service=invoker,type=pooled,host=localhost">
<attribute name="NumAcceptThreads">1</attribute>
<attribute name="MaxPoolSize">300</attribute>
<attribute name="ClientMaxPoolSize">300</attribute>
<attribute name="SocketTimeout">60000</attribute>
<attribute name="ServerBindAddress">localhost</attribute>
<attribute name="ServerBindPort">4443</attribute>
<attribute
name="ClientConnectAddress">localhost</attribute>
<attribute name="ClientConnectPort">0</attribute>
<attribute name="ClientRetryCount">1</attribute>
<attribute name="EnableTcpNoDelay">false</attribute>
<depends
optional-attribute-name="TransactionManagerService">jboss:service=TransactionManager</depends>
And in the '<mbean code="org.jboss.invocation.jrmp.server.JRMPProxyFactory"' section, change the <depends> element with optional-attribute-name="InvokerName" to "jboss:service=invoker,type=pooled,host=localhost" so that it looks like:
<depends optional-attribute-name="InvokerName">jboss:service=invoker,type=pooled,host=localhost</depends>
Setting up users and roles
Set up users. The default user/password combination of admin/admin is now active. Change/update the usernames/passwords for the configured security domain by editing the corresponding credential files, e.g.:
server/<configuration>/conf/props/jmx-console-users.properties and server/<configuration>/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties
You can change/update roles for the configured security domains by editing corresponding credential files, e.g.:
server/<configuration>/conf/props/jmx-console-roles.properties and server/<configuration>/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-roles.properties
Following the changes above, the externally visible rmi-http, jmx-console, and web-console services should now be authenticated, while jmx-invoker listens on localhost.
Further details on security can be found at the following locations:
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheInvokers
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss
