Securing JMX Access in JBoss

Recently, we have been talking a lot about JMX – especially about using the Monitis JMX Agent to monitor your JBoss server. As I mentioned in my previous post, in JBoss 6.x and earlier versions, the JMX web console and the JMX connector do not require authentication. This obviously presents a security risk – anyone who knows the hostname and port number can connect to your JBoss server, and not only examine the MBean properties, but even invoke administrative operations. Fortunately, there are some easy steps you can take to prevent this from happening on your production servers. But first, let’s talk briefly about two components of the JBoss management ecosystem.

  • The JMX Console Most developers who deploy applications on JBoss are familiar with the JMX console. It is basically a JEE webapp, deployed as a .WAR file . The console comes bundled with JBoss versions up to 6.x (JBoss 7 uses a different management infrastructure, but we will talk more about that in a future post). Like any web application, it can be secured declaratively by modifying its deployment descriptors. Usually, it can be accesses using a URL like this: http://localhost:8080/jmx-console
  • The JMX Connector accepts remote JMX/RMI connections (on port 1090 by default). Management applications (such as jconsole or the Monitis JMX Agent) use it to connect to JBoss MBean server.

Securing the JMX Console

JBoss makes it really easy to secure the management applications – as easy as flipping a few switches (the hard part, of course, is finding the switches that need flipping). Here are the steps:

Step 1. Go to the $JBOSS_HOME/common/deploy/jmx-console.war/WEB-INF

Step 2. Modify web.xml to uncomment the security-constraint element:

   <!-- A security constraint that restricts access to the HTML JMX console
   to users with the role JBossAdmin. Edit the roles to what you want and
   uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
   secured access to the HTML JMX console. -->

       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application

Step 3. Modify jboss-web.xml to uncomment the security-domain element:

<!DOCTYPE jboss-web PUBLIC
   "-//JBoss//DTD Web Application 5.0//EN"

   <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users.

Step 4. Go to $JBOSS_HOME/server/default/deploy and uncomment the following entry:

<property name="securityDomain">jmx-console</property>

Step 5. Create Users and Role files. Go to $JBOSS_HOME/server/default/conf/props and create two properties files like so:

$echo 'admin=mysecretpasswd' >
$echo 'admin=JBossAdmin' >


Of course, feel free to change the password to your liking. Since the password is stored in clear text, you should also make sure the file is owned by the same login JBoss runs under (typically jboss or root) and set the permissions to 600:

$chown jboss
$chmod 600

Once you make the changes, navigate to


. The server should now prompt you to login.

Securing the JMX Connector

Even with the JMX console secured, JMX/RMI clients can still connect remotely without specifying credentials. To secure JMX/RMI access, modify the following line $JBOSS_HOME/server/default/deploy/jmx-jboss-beans.xml to force the JMX connector to authenticate against the same security domain used by jmx-console:

  <bean name="JMXConnector" class="org.jboss.system.server.jmx.JMXConnector">
      <!-- configuration properties -->
      <!--  To enable authentication security checks, uncomment the following security domain name -->
      <property name="securityDomain">jmx-console</property>

To test the setup, open jconsole and try to login without credentials. You should get an error message:

To verify that your credentials work for the JMX connector, Click on Cancel, select File -> New Connection and enter the correct URL and credentials. You should be able to log in and view the contents of the MBean server:

That’s it, you have just secured your app server’s JMX infrastructure against unauthorized access. In the next article, we will discuss the management infrastructure of JBoss 7. Until then, happy monitoring!