JBoss.org Community Documentation
Since the JMX console web application is just a standard servlet, it may be secured using standard J2EE role based security. The jmx-console.war
that is deployed as an unpacked WAR that includes template settings for quickly enabling simple username and password based access restrictions. If you look at the jmx-console.war
in the server/production/deploy
directory you will find the web.xml
and jboss-web.xml
descriptors in the WEB-INF
directory. The jmx-console-roles.properties
and jmx-console-users.properties
files are located in the server/production/conf/props
directory.
By uncommenting the security sections of the web.xml
and jboss-web.xml
descriptors as shown in Example 3.10, “The jmx-console.war web.xml descriptors with the security elements uncommented.”, you enable HTTP basic authentication that restricts access to the JMX Console application to the user admin
with password admin
. The username and password are determined by the admin=admin
line in the jmx-console-users.properties
file.
<?xml version="1.0"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> <web-app> <!-- ... --> <!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console. --> <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description> An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>JBoss JMX Console</realm-name> </login-config> <security-role> <role-name>JBossAdmin</role-name> </security-role> </web-app>
Example 3.10. The jmx-console.war web.xml descriptors with the security elements uncommented.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_3_0.dtd"> <jboss-web> <!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users. --> <security-domain>java:/jaas/jmx-console</security-domain> </jboss-web>
Example 3.11. The jmx-console.war jboss-web.xml descriptors with the security elements uncommented.
Make these changes and then when you try to access the JMX Console URL. You will see a dialog similar to that shown in Figure 3.14, “The JMX Console basic HTTP login dialog.”.
You probably to use the properties files for securing access to the JMX console application. To see how to properly configure the security settings of web applications see Chapter 8, Security on JBoss .