Sáb. Jun 15th, 2024

It’s strongly recommended to take some security measures to restrict access to jmx-console and web-console  of Jboss, particularly wether you have and old Jboss version(under  6.x  and specially 4.x), because from them it’s possible to change a lot of parameters in Jboss configuration and only we should have access to that.

Beside some days ago a new worm that exploit an old vulnerability(CVE-2010-0738) appeared. This worm take advantage of the method to handle http requests and the standard security constraints that usually sysadmins configure, blocking only get and post http requests to jmx-console and web-console. For more details  you can see this statement.

The first step is enable autenthication through security constraints:

1. Edit $JBOSS_HOME/PROFILE/deploy/jmx-console.war/WEB-INF /web.xml

And uncomment the following lines:

       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application




Take careful with the value of  <real-name> because it has to match with  <login-config> inside  $JBOSS_HOME/server/PROFILE/conf/login-config.xml which  define the authentication method . User and password are defined in text plain  (take careful with this and set strict file permissions access)  $JBOSS_HOME/server/PROFILE/conf/props/jmx-console-users.properties. The user who set in the file have to be JBossAdmin role as we set in web.xml.

2. Edit $JBOSS_HOME/PROFILE/deploy/jmx-console.war/WEB-INF/jboss-web.xml, for set the domain security name:


3. Edit $JBOSS_HOME/server/default/conf/login-config.xml:

and ensure you have this group of lines:

    <application-policy name = "jmx-console">
          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
           <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
           <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>

    <!-- A template configuration for the web-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    <application-policy name = "web-console">
          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
             <module-option name="usersProperties">web-console-users.properties</module-option>
             <module-option name="rolesProperties">web-console-roles.properties</module-option>

In the previous or equal JBoss AS 5.x versions, file web.xml includes a security-constraint  that blocks GET and POST requests:


Drop this lines for apply the security constraints to all of http requests.

You can redeploy making «touch jmx-console.war» without restart the server.

The way to securing the web-console it’s similar:

  • Edit $JBOSS_HOME/PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml y $JBOSS_HOME/server/PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml in the same way that we did with  jmx-console.
  • Edit $JBOSS_HOME/server/PROFILE/conf/props/jmx-console-users.properties in the same way that we did with  jmx-console.
We should to check if both applications have redeployed correctly and ask  user and password.

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *