It’s strongly recommended to take some security measures to restrict access to jmx-console and web-console  of Jboss, particularly wether you have and old Jboss version(under  6.x  and specially 4.x), because from them it’s possible to change a lot of parameters in Jboss configuration and only we should have access to that.

Beside some days ago a new worm that exploit an old vulnerability(CVE-2010-0738) appeared. This worm take advantage of the method to handle http requests and the standard security constraints that usually sysadmins configure, blocking only get and post http requests to jmx-console and web-console. For more details  you can see this statement.

The first step is enable autenthication through security constraints:

1. Edit $JBOSS_HOME/PROFILE/deploy/jmx-console.war/WEB-INF /web.xml

And uncomment the following lines:

 <security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/*</url-pattern>

     </web-resource-collection>
     <auth-constraint>
       <role-name>JBossAdmin</role-name>
     </auth-constraint>
   </security-constraint>

   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>jmx-console</realm-name>
   </login-config>

   <security-role>
      <role-name>JBossAdmin</role-name>
   </security-role>

Take careful with the value of  <real-name> because it has to match with  <login-config> inside  $JBOSS_HOME/server/PROFILE/conf/login-config.xml which  define the authentication method . User and password are defined in text plain  (take careful with this and set strict file permissions access)  $JBOSS_HOME/server/PROFILE/conf/props/jmx-console-users.properties. The user who set in the file have to be JBossAdmin role as we set in web.xml.

2. Edit $JBOSS_HOME/PROFILE/deploy/jmx-console.war/WEB-INF/jboss-web.xml, for set the domain security name:

  <security-domain>java:/jaas/web-console</security-domain>

3. Edit $JBOSS_HOME/server/default/conf/login-config.xml:

and ensure you have this group of lines:

    <application-policy name = "jmx-console">
       <authentication>
          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
           <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
           <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
          </login-module>
       </authentication>
    </application-policy>

    <!-- A template configuration for the web-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name = "web-console">
       <authentication>
          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
             <module-option name="usersProperties">web-console-users.properties</module-option>
             <module-option name="rolesProperties">web-console-roles.properties</module-option>
          </login-module>
       </authentication>
    </application-policy>

In the previous or equal JBoss AS 5.x versions, file web.xml includes a security-constraint  that blocks GET and POST requests:

    <http-method>GET</http-method>
    <http-method>POST</http-method>

Drop this lines for apply the security constraints to all of http requests.

You can redeploy making “touch jmx-console.war” without restart the server.

The way to securing the web-console it’s similar:

  • Edit $JBOSS_HOME/PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml y $JBOSS_HOME/server/PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml in the same way that we did with  jmx-console.
  • Edit $JBOSS_HOME/server/PROFILE/conf/props/jmx-console-users.properties in the same way that we did with  jmx-console.
We should to check if both applications have redeployed correctly and ask  user and password.
Advertisements