It’s strongly recommended to take some security measures to restrict access to jmx-console and web-console of Jboss, particularly wether you have and old Jboss version(under 6.x and specially 4.x), because from them it’s possible to change a lot of parameters in Jboss configuration and only we should have access to that.
Beside some days ago a new worm that exploit an old vulnerability(CVE-2010-0738) appeared. This worm take advantage of the method to handle http requests and the standard security constraints that usually sysadmins configure, blocking only get and post http requests to jmx-console and web-console. For more details you can see this statement.
The first step is enable autenthication through security constraints:
1. Edit $JBOSS_HOME/PROFILE/deploy/jmx-console.war/WEB-INF /web.xml
And uncomment the following lines:
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>jmx-console</realm-name>
</login-config>
<security-role>
<role-name>JBossAdmin</role-name>
</security-role>
Take careful with the value of <real-name> because it has to match with <login-config> inside $JBOSS_HOME/server/PROFILE/conf/login-config.xml which define the authentication method . User and password are defined in text plain (take careful with this and set strict file permissions access) $JBOSS_HOME/server/PROFILE/conf/props/jmx-console-users.properties. The user who set in the file have to be JBossAdmin role as we set in web.xml.
2. Edit $JBOSS_HOME/PROFILE/deploy/jmx-console.war/WEB-INF/jboss-web.xml, for set the domain security name:
<security-domain>java:/jaas/web-console</security-domain>
3. Edit $JBOSS_HOME/server/default/conf/login-config.xml:
and ensure you have this group of lines:
<application-policy name = "jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">props/jmx-console-users.properties</module-option>
<module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
<!-- A template configuration for the web-console web application. This
defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name = "web-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">web-console-users.properties</module-option>
<module-option name="rolesProperties">web-console-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
In the previous or equal JBoss AS 5.x versions, file web.xml includes a security-constraint that blocks GET and POST requests:
<http-method>GET</http-method>
<http-method>POST</http-method>
Drop this lines for apply the security constraints to all of http requests.
You can redeploy making «touch jmx-console.war» without restart the server.
The way to securing the web-console it’s similar:
- Edit $JBOSS_HOME/PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml y $JBOSS_HOME/server/PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml in the same way that we did with jmx-console.
- Edit $JBOSS_HOME/server/PROFILE/conf/props/jmx-console-users.properties in the same way that we did with jmx-console.