Recently, we have been talking a lot about JMX – especially about using the Monitis JMX Agent to monitor your JBoss server. As I mentioned in my previous post, in JBoss 6.x and earlier versions, the JMX web console and the JMX connector do not require authentication. This obviously presents a security risk – anyone who knows the hostname and port number can connect to your JBoss server, and not only examine the MBean properties, but even invoke administrative operations. Fortunately, there are some easy steps you can take to prevent this from happening on your production servers. But first, let’s talk briefly about two components of the JBoss management ecosystem.
- The JMX Console Most developers who deploy applications on JBoss are familiar with the JMX console. It is basically a JEE webapp, deployed as a .WAR file . The console comes bundled with JBoss versions up to 6.x (JBoss 7 uses a different management infrastructure, but we will talk more about that in a future post). Like any web application, it can be secured declaratively by modifying its deployment descriptors. Usually, it can be accesses using a URL like this:
- The JMX Connector accepts remote JMX/RMI connections (on port 1090 by default). Management applications (such as jconsole or the Monitis JMX Agent) use it to connect to JBoss MBean server.
Securing the JMX Console
JBoss makes it really easy to secure the management applications – as easy as flipping a few switches (the hard part, of course, is finding the switches that need flipping). Here are the steps:
Step 1. Go to the
Step 2. Modify
web.xml to uncomment the
<!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console. --> <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint>
Step 3. Modify
jboss-web.xml to uncomment the
<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd"> <jboss-web> <!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users. <security-domain>java:/jaas/jmx-console</security-domain> --> </jboss-web>
Step 4. Go to
$JBOSS_HOME/server/default/deploy and uncomment the following entry:
Step 5. Create Users and Role files. Go to $JBOSS_HOME/server/default/conf/props and create two properties files like so:
$echo 'admin=mysecretpasswd' > jmx-console-users.properties $echo 'admin=JBossAdmin' > jmx-console-roles.properties
Of course, feel free to change the password to your liking. Since the password is stored in clear text, you should also make sure the file is owned by the same login JBoss runs under (typically jboss or root) and set the permissions to 600:
$chown jboss jmx-console-users.properties $chmod 600 jmx-console-users.properties
Once you make the changes, navigate to
. The server should now prompt you to login.
Securing the JMX Connector
Even with the JMX console secured, JMX/RMI clients can still connect remotely without specifying credentials. To secure JMX/RMI access, modify the following line
$JBOSS_HOME/server/default/deploy/jmx-jboss-beans.xml to force the JMX connector to authenticate against the same security domain used by jmx-console:
<bean name="JMXConnector" class="org.jboss.system.server.jmx.JMXConnector"> <!-- configuration properties --> <!-- To enable authentication security checks, uncomment the following security domain name --> <property name="securityDomain">jmx-console</property> ...
To verify that your credentials work for the JMX connector, Click on Cancel, select File -> New Connection and enter the correct URL and credentials. You should be able to log in and view the contents of the MBean server:
That’s it, you have just secured your app server’s JMX infrastructure against unauthorized access. In the next article, we will discuss the management infrastructure of JBoss 7. Until then, happy monitoring!