United States (change)
Shortcuts: Downloads Fedora Red Hat Network
Account Links: Cart Your Account Logout
By default, the rpm and the zip distribution of JBoss AS has authentication for jmx-console, web-console, jmx-invoker and http-invoker is turned on. Additionally, no user accounts are active by default, so as to prevent default user/password-based attacks.
Accounts for the jmx-console and the invokers can be set up by modifying:
$JBOSS_HOME/server/$CONFIG/conf/props/jmx-console-users.properties
Accounts for web-console users can be set up by modifying:
$JBOSS_HOME/server/$CONFIG/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties
Where $JBOSS_HOME is the install directory (/var/lib/jbossas) and $CONFIG is the server configuration being used.
It is also possible to disable authentication on specific services. All specified paths in the sections below are relative to $JBOSS_HOME, /var/lib/jbossas by default.
To disable authentication for the JMX console, edit the following file and comment out the security-constraint section:
* server/<configuration>/deploy/jmx-console.war/WEB-INF/web.xml
The following fragment should be commented out:
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows
users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
To disable authentication for the Web console, edit the following file to comment out the security-constraint section:
* server/<configuration>/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
The following fragment should be commented out:
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows
users with the role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
To disable authentication for the http invoker, the server/<configuration>/deploy/httpha-invoker.sar/invoker.war/WEB-INF/web.xml (depending on which server configuration is being run) file needs to have JNDIFactory, EJBInvokerServlet, and JMXInvokerServlet removed from the security realm.
For example, the security-constraint element should look as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>HttpInvokers</web-resource-name>
<description>An example security config that only allows
users with the role HttpInvoker to access the HTTP invoker servlets
</description>
<url-pattern>/restricted/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>HttpInvoker</role-name>
</auth-constraint>
</security-constraint>
To disable authentication for the JMX invoker, edit the following file to comment out the security interceptor passthrough:
* server/<configuration>/deploy/jmx-invoker-service.xml
Locate the mbean section with the class "org.jboss.jmx.connector.invoker.InvokerAdaptorService". In that section comment out the line that relates to authenticated users:
<descriptors>
<interceptors>
<!-- Uncomment to require authenticated users -->
<interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
securityDomain="java:/jaas/jmx-console"/>
<!-- Interceptor that deals with non-serializable results -->
<interceptor code="org.jboss.jmx.connector.invoker.SerializableInterceptor"
policyClass="StripModelMBeanInfoPolicy"/>
</interceptors>
</descriptors>
