The JBoss Server - A Quick Tour
Server Structure
Now that you’ve downloaded JBoss and have run the server for the first time, the next thing you will want to know is how the installation is laid out and what goes where. At first glance there seems to be a lot of stuff in there, and it’s not obvious what you need to look at and what you can safely ignore for the time being. To remedy that, we’ll explore the server directory structure, locations of the key configuration files, log files, deployment and so on. It’s worth familiarizing yourself with the layout at this stage as it will help you understand the JBoss service architecture so that you’ll be able to find your way around when it comes to deploying your own applications.
Server Configurations
Fundamentally, the JBoss architecture consists of the JMX MBean server, the microkernel, and a set of pluggable component services - the MBeans. This makes it easy to assemble different configurations and gives you the flexibility to tailor them to meet your requirements.
You don’t have to run a large, monolithic server all the time; you can remove the components you don’t need (which can also reduce the server startup time considerably) and you can also integrate additional services into JBoss by writing your own MBeans. You certainly do not need to do this to be able to run standard Java EE 5 applications though.
You don’t need a detailed understanding of JMX to use JBoss, but it’s worth keeping a picture of this basic architecture in mind as it is central to the way JBoss works.
The JBoss Application Server ships with three different server configurations. Within the <JBoss_Home>/server
directory, you will find four subdirectories: minimal
, default
and all
- one for each server configuration. Each of these configurations provide a different set of services. The default
configuration is the one used if you don’t specify another one when starting up the server.
- minimal
has a minimal configuration—the bare minimum services required to start JBoss. It starts the logging service, a JNDI server and a URL deployment scanner to find new deployments. This is what you would use if you want to use JMX/JBoss to start your own services without any other Java EE 5 technologies. This is just the bare server. There is no web container, no EJB or JMS support.
- default
is a base Java EE 5 server profile containing a default set of services. It has the most frequently used services required to deploy a Java EE application. It does not include the JAXR service, the IIOP service, or any of the clustering services.
- all
The all configuration starts all the available services. This includes the RMI/IIOP and clustering services, which are not loaded in the default configuration.
If you want to know which services are configured in each of these instances, look at the jboss-service.xml
file in the <JBoss_Home>/server/<instance-name>/conf/
directory and also the configuration files in the <JBoss_Home>/server/<instance-name>/deploy
directory.
[usr@localhost <JBoss_Home>]$ls server/default/conf
bootstrap-beans.xml jboss-log4j.xml login-config.xml xmdesc bootstrap-repo-beans.xml jboss-minimal.xml props jax-ws-catalog.xml jboss-service.xml standardjbosscmp-jdbc.xml jbossjta-properties.xml jndi.properties standardjboss.xml
Note
The default configuration is the one used if you don’t specify another one when starting up the server.
To start the server using an alternate configuration refer to “Start the Server With Alternate Configuration”.
Server Configuration Directory Structure
The directory server configuration you’re using, is effectively the server root while JBoss is running. It contains all the code and configuration information for the services provided by the particular server configuration. It’s where the log output goes, and it’s where you deploy your applications. ”Server Configuration Directory Structure Table” shows the directories inside the server configuration directory (<JBoss_Home>/server/<instance-name>
) and their functions.
Directory | Description |
---|---|
conf | The conf directory contains the jboss-service.xml bootstrap descriptor file for a given server configuration. This defines the core services that are fixed for the lifetime of the server. |
data | The data directory is available for use by services that want to store content in the file system. It holds persistent data for services intended to survive a server restart. Serveral JBoss services, such as the embedded Hypersonic database instance, store data here. |
deploy | The deploy directory contains the hot-deployable services (those which can be added to or removed from the running server). It also contains applications for the current server configuration. You deploy your application code by placing application packages (JAR, WAR and EAR files) in the deploy directory. The directory is constantly scanned for updates, and any modified components will be re-deployed automatically. |
lib | This directory contains JAR files (Java libraries that should not be hot deployed) needed by this server configuration. You can add required library files here for JDBC drivers etc. All JARs in this directory are loaded into the shared classpath at startup. |
log | This is where the log files are written. JBoss uses the Jakarta log4j package for logging and you can also use it directly in your own applications from within the server. This may be overridden through the conf/ jboss-log4j.xml configuration file. |
tmp | The tmp directory is used for temporary storage by JBoss services. The deployer, for example, expands application archives in this directory. |
work | This directory is used by Tomcat for compilation of JSPs. |
Table: Server Configuration Directory Structure
The "default" Server Configuration File Set
The "default
" server configuration file set is located in the <JBoss_Home>/server/default
directory. The following example illustrates a truncated directory structure of the jboss-as-<release>
server configuration files:
[user@localhost <JBoss_Home>]$ tree |-- bin |-- client |-- docs | |-- dtd | |-- examples | | |-- binding-manager | | | `-- sample-bindings.xml | | |-- jca | | |-- jms | | |-- jmx | | |-- netboot | | | `-- netboot.war | | `-- varia | | |-- deployment-service | | |-- derby-plugin.jar | | |-- entity-resolver-manager | | | `-- xmlresolver-service.xml | | `-- jboss-bindings.xml | `-- schema |-- lib | |-- commons-codec.jar | |-- commons-httpclient.jar | |-- commons-logging.jar | |-- concurrent.jar | |-- endorsed | | |-- serializer.jar | | |-- xalan.jar | | `-- xercesImpl.jar | |-- getopt.jar | |-- jboss-common.jar | |-- jboss-jmx.jar | |-- jboss-system.jar | |-- jboss-xml-binding.jar | `-- log4j-boot.jar `-- server |-- all | |-- conf | | |-- jacorb.properties | | |-- jboss-log4j.xml | | |-- jboss-minimal.xml | | |-- jboss-service.xml | | |-- jbossjta-properties.xml | | |-- jndi.properties | | |-- login-config.xml | | |-- props | | | |-- jbossws-roles.properties | | | |-- jbossws-users.properties | | | |-- jmx-console-roles.properties | | | `-- jmx-console-users.properties | | |-- standardjboss.xml | | |-- standardjbosscmp-jdbc.xml | | `-- xmdesc | |-- deploy | |-- deploy-hasingleton | | `-- jms | |-- farm | | `-- cluster-examples-service.xml | `-- lib |-- default | |-- conf | | |-- jboss-log4j.xml | | |-- jboss-minimal.xml | | |-- jboss-service.xml | | |-- jbossjta-properties.xml | | |-- jndi.properties | | |-- login-config.xml | | |-- props | | | |-- jbossws-roles.properties | | | |-- jbossws-users.properties | | | |-- jmx-console-roles.properties | | | `-- jmx-console-users.properties | | |-- standardjboss.xml | | |-- standardjbosscmp-jdbc.xml | | `-- xmdesc | | |-- AttributePersistenceService-xmbean.xml | | |-- ClientUserTransaction-xmbean.xml | | |-- JNDIView-xmbean.xml | | |-- Log4jService-xmbean.xml | | |-- NamingBean-xmbean.xml | | |-- NamingService-xmbean.xml | | |-- TransactionManagerService-xmbean.xml | | |-- org.jboss.deployment.JARDeployer-xmbean.xml | | |-- org.jboss.deployment.MainDeployer-xmbean.xml | | `-- org.jboss.deployment.SARDeployer-xmbean.xml | |-- data | | |-- hypersonic | | |-- jboss.identity | | |-- tx-object-store | | `-- xmbean-attrs | |-- deploy | |-- lib | |-- log | | |-- boot.log | | |-- server.log | | `-- server.log.2008-08-09 | |-- tmp | `-- work | `-- jboss.web | `-- localhost `-- minimal |-- conf | |-- jboss-log4j.xml | |-- jboss-service.xml | |-- jndi.properties | `-- xmdesc | |-- NamingBean-xmbean.xml | `-- NamingService-xmbean.xml |-- deploy `-- lib |-- jboss-management.jar |-- jboss-minimal.jar |-- jnpserver.jar `-- log4j.jar
Contents of "conf" directory
The files in the conf
directory are explained in the following table.
File | Description |
---|---|
jboss-minimal.xml | This is a minimalist example of the jboss-service.xml configuration file. (This is the jboss-service.xml file used in the minimal configuration file set) |
jboss-service.xml | jboss-service.xml defines the core services and their configurations. |
jndi.properties | The jndi.properties file specifies the JNDI InitialContext properties that are used within the JBoss server when an InitialContext is created using the no-arg constructor. |
jboss-log4j.xml | This file configures the Apache log4j framework category priorities and appenders used by the JBoss server code. |
login-config.xml | This file contains sample server side authentication configurations that are applicable when using JAAS based security. |
props/* | The props directory contains the users and roles property files for the jmx-console. |
standardjaws.xml | This file provides the default configuration for the legacy EJB 1.1 CMP engine. |
standardjboss.xml | This file provides the default container configurations. |
standardjbosscmp-jdbc.xml | This file provides a default configuration file for the JBoss CMP engine. |
xmdesc/*-mbean.xml | The xmdesc directory contains XMBean descriptors for several services configured in the jboss-service.xml file. |
Contents of "deploy" directory
The files in the deploy
directory are explained in the following table.
File | Description |
---|---|
bsh-deployer.xml | This file configures the bean shell deployer, which deploys bean shell scripts as JBoss services. |
cache-invalidation-service.xml | This is a service that allows for custom invalidation of the EJB caches via JMS notifications. It is disabled by default. |
client-deployer-service.xml | This is a service that provides support for Java EE application clients. It manages the java:comp/env enterprise naming context for client applications based on the application-client.xml descriptor. |
ear-deployer.xml | The EAR deployer is the service responsible for deploying Java EE EAR files. |
ejb-deployer.xml | The EJB deployer is the service responsible for deploying JEE EJB JAR files. |
hsqldb-ds.xml | hsqldb-ds.xml configures the Hypersonic embedded database service configuration file. It sets up the embedded database and related connection factories. |
http-invoker.sar | http-invoker.sar contains the detached invoker that supports RMI over HTTP. It also contains the proxy bindings for accessing JNDI over HTTP. |
jboss-aop-jdk50.deployer | This service configures the AspectManagerService and deploys JBoss AOP applications. |
jboss-bean.deployer | jboss-bean.deployer provides the JBoss microcontainer, which deploys POJO services wrapped in .beans files. |
jboss-ha-local-jdbc.rar | jboss-ha-local-jdbc.rar is an experimental version of jboss-local-jdbc.rar that supports datasource failover. |
jboss-ha-xa-jdbc.rar | jboss-ha-xa-jdbc.rar is an experimental version of jboss-xa-jdbc.rar that supports datasource failover. |
jboss-local-jdbc.rar | jboss-local-jdbc.rar is a JCA resource adaptor that implements the JCA ManagedConnectionFactory interface for JDBC drivers that support the DataSource interface but not JCA. |
jboss-xa-jdbc.rar | jboss-xa-jdbc.rar is a JCA resource adaptor that implements the JCA ManagedConnectionFactory interface for JDBC drivers that support the XADataSource interface. |
jbossjca-service.xml | jbossjca-service.xml is the application server implementation of the JCA specification. It provides the connection management facilities for integrating resource adaptors into the JBoss server. |
jboss-web.deployer | The jboss-web.deployer directory provides the Tomcat servlet engine. |
jbossws.sar | jbossws.sar provides JEE web services support. |
messaging/destinations-service.xml | destinations-service.xml configures a number of Messaging queues and topics used by the Messaging unit tests. |
messaging/messaging-service.xml | The messaging-service.xml file configures the core JBoss Messaging service. |
jmx-console.war | The jmx-console.war directory provides the JMX Console. The JMX Console provides a simple web interface for managing the MBean server. |
jmx-invoker-service.sar | jmx-invoker-service.sar is an unpacked MBean service archive that exposes a subset of the JMX MBeanServer interface methods as an RMI interface to enable remote access to the JMX core functionality. This is similar to the legacy jmx-rmi-adaptor.sar , with the difference that the transport is handled by the detached invoker architecture. |
jsr-88-service.xml | jsr-88-service.xml provides the JSR 88 remote deployment service. |
mail-ra.rar | mail-ra.rar is a resource adaptor that provides a JavaMail connector. |
mail-service.xml | The mail-service.xml file is an MBean service descriptor that provides JavaMail sessions for use inside the JBoss server. |
management/console-mgr.sar | console-mgr.sar provides the Web Console. It is a web application/applet that provides a richer view of the JMX server management data than the JMX console. You may view the console using the URL http://localhost:8080/web-console/ . |
monitoring-service.xml | The monitoring-service.xml file configures alert monitors like the console listener and email listener used by JMX notifications. |
properties-service.xml | The properties-service.xml file is an MBean service descriptor that allows for customization of the JavaBeans PropertyEditor s as well as the definition of system properties. |
scheduler-service.xml | The scheduler-service.xml and schedule-manager-service.xml files are MBean service descriptors that provide a scheduling type of service. |
sqlexception-service.xml | The sqlexception-service.xml file is an MBean service descriptor for the handling of vendor specific SQLException s. |
uuid-key-generator.sar | The uuid-key-generator.sar service provides a UUID-based key generation facility. |
Contents of "deploy" directory
The "all" Server Configuration File Set
The "all" server configuration file set is located in the <JBoss_Home>/server/all
directory. In addition to the services in the "default" set, the all configuration contains several other services in the conf/
directory as shown below.
File | Description |
---|---|
cluster-service.xml | This service configures clustering communication for most clustered services in JBoss. |
deploy-hasingleton-service.xml | This provides the HA singleton service, allowing JBoss to manage services that must be active on only one node of a cluster. |
httpha-invoker.sar | This service provides HTTP tunneling support for clustered environments. |
iiop-service.xml | This provides IIOP invocation support. |
juddi-service.sar | This service provides UDDI lookup services. |
snmp-adaptor.sar | This is a JMX to SNMP adaptor. It allows for the mapping of JMX notifications onto SNMP traps. |
Additional Services in "conf" directory for "all" configuration
EJB3 Services
The following table explains the files providing ejb3 services.
File | Description |
---|---|
ejb3-interceptors-aop.xml | This service provides the AOP interceptor stack configurations for EJB3 bean types. |
ejb3.deployer | This service deploys EJB3 applications into JBoss. |
jboss-aop-jdk50.deployer | This is a Java 5 version of the AOP deployer. The AOP deployer configures the AspectManagerService and deploys JBoss AOP applications. |
jbossws.sar | This provides Java EE 5 web services support. |
Finally, in the EJB3 "all" configuration there are two additional services.
File | Description |
---|---|
ejb3-clustered-sfsbcache-service.xml | This provides replication and failover for EJB3 stateful session beans. |
ejb3-entity-cache-service.xml | This provides a clustered cache for EJB3 entity beans. |
Additional Services in EJB3 "all" Configuration
Adding Your Own Configuration
You can add your own configurations too. The best way to do this is to copy an existing one that is closest to your needs and modify the contents. For example, if you weren’t interested in using messaging, you could copy the production
directory, renaming it as myconfig
, remove the jms
subdirectory and then start JBoss with the new configuration.
./run.sh -c myconfig
Starting and Stopping the Server
Start the Server
Move to JBOSS_DIST/jboss-as/bin
directory and execute the run.bat
(for Windows) or run.sh
(for Linux) script, as appropriate for your operating system.
Remote connection to the JBoss AS server
JBoss AS now binds its services to localhost (127.0.0.1) by default, instead of binding to all available interfaces (0.0.0.0). This was primarily done for security reasons because of concerns of users going to production without having secured their servers properly. To enable remote access by binding JBoss services to a particular interface, simply run jboss with the -b
option. To bind to all available interfaces and re-enable the legacy behaviour use -b 0.0.0.0
. In any case, be aware you still need to secure your server properly.
For more information including setting up multiple JBoss server instances on one machine and hosting multiple domains with JBoss, please refer to the Administration and Configuration Guide. Some examples on binding are shipped in <JBOSS_HOME>/docs/examples/binding-manager/sample-bindings.xml
.
On starting your server, your screen output should look like the following (accounting for installation directory differences) and contain no error or exception messages:
[user@mypc bin]$ ./run.sh ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /home/user/jboss-as-version/jboss-as JAVA: java JAVA_OPTS: -Dprogram.name=run.sh -server -Xms1503m -Xmx1503m -Dsun.rmi.dgc.client. gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.net.preferIPv4Stack=true CLASSPATH: /home/user/jboss-as-version/jboss-as/bin/run.jar =========================================================================
More options for the JBoss AS run
script are discussed in The Section “Start the Server With Alternate Configuration” below.
Note
Note that there is no "Server Started" message shown at the console when the server is started using the production
profile, which is the default profile used when no other is specified. This message may be observed in the server.log
file located in the server/production/log
subdirectory.
Start the Server With Alternate Configuration
Using run.sh
without any arguments starts the server using the default
server configuration file set. To start with an alternate configuration file set, pass the name of the server configuration file set [same as the name of the server configuration directory under JBOSS_DIST/jboss-as/server
] that you want to use, as the value to the -c
command line option. For example, to start with the minimal
configuration file set you should specify:
[bin]$ ./run.sh -c minimal ... ... ... 15:05:40,301 INFO [Server] JBoss (MX MicroKernel) [5.0.0 (build: SVNTag=JBoss_5_0_0 date=200801092200)] Started in 5s:75ms
Using run.sh
The run
script supports the following options:
usage: run.sh [options] -h, --help Show help message -V, --version Show version information -- Stop processing options -D<name>[=<value>] Set a system property -d, --bootdir=<dir> Set the boot patch directory; Must be absolute or url -p, --patchdir=<dir> Set the patch directory; Must be absolute or url -n, --netboot=<url> Boot from net with the given url as base -c, --configuration=<name> Set the server configuration name -B, --bootlib=<filename> Add an extra library to the front bootclasspath -L, --library=<filename> Add an extra library to the loaders classpath -C, --classpath=<url> Add an extra url to the loaders classpath -P, --properties=<url> Load system properties from the given url -b, --host=<host or ip> Bind address for all JBoss services. -g, --partition=<name> HA Partition name (default=DefaultDomain) -u, --udp=<ip> UDP multicast address -l, --log=<log4j|jdk> Specify the logger plugin type
Stopping the Server
To shutdown the server, you simply issue a Ctrl-C sequence in the console in which JBoss was started. Alternatively, you can use the shutdown.sh
command.
[bin]$ ./shutdown.sh -S
The shutdown
script supports the following options:
A JMX client to shutdown (exit or halt) a remote JBoss server. usage: shutdown [options] <operation> options: -h, --help Show this help message (default) -D<name>[=<value>] Set a system property -- Stop processing options -s, --server=<url> Specify the JNDI URL of the remote server -n, --serverName=<url> Specify the JMX name of the ServerImpl -a, --adapter=<name> Specify JNDI name of the MBeanServerConnection to use -u, --user=<name> Specify the username for authentication -p, --password=<name> Specify the password for authentication operations: -S, --shutdown Shutdown the server -e, --exit=<code> Force the VM to exit with a status code -H, --halt=<code> Force the VM to halt with a status code
Using the shutdown command requires a server configuration that contains the jmx-invoker-service.xml
service. Hence you cannot use the shutdown command with the minimal
configuration.
Running as a Service under Microsoft Windows
You can configure the server to run as a service under Microsoft Windows, and configure it to start automatically if desired.
Download the JavaService
package from http://forge.objectweb.org/projects/javaservice/.
Unzip the package and use the JBossInstall.bat
file to install the JBoss service. You must set the JAVA_HOME
and JBOSS_HOME
environment variables to point to the jdk
and jboss-as
directories before running JBossInstall.bat
. Run JBossInstall.bat
with the following syntax:
JBossInstall.bat
<depends>
[-auto | -manual]
Where <depends>
is the name of any service that the JBoss AS server depends on, such as the mysql
database service.
Once the service is installed the server can be started by using the command net start JBoss
, and stopped with the command net stop JBoss
.
Please refer to the documentation included in the JavaService
package for further information.
The JMX Console
When the JBoss Server is running, you can get a live view of the server by going to the JMX console application at http://localhost:8080/jmx-console. You should see something similar to Figure “View of the JMX Management Console Web Application”.
The JMX Console is the JBoss Management Console which provides a raw view of the JMX MBeans which make up the server. They can provide a lot of information about the running server and allow you to modify its configuration, start and stop components and so on.
For example, find the service=JNDIView
link and click on it. This particular MBean provides a service to allow you to view the structure of the JNDI namespaces within the server. Now find the operation called list
near the bottom of the MBean view page and click the invoke
button. The operation returns a view of the current names bound into the JNDI tree, which is very useful when you start deploying your own applications and want to know why you can’t resolve a particular EJB name.
Figure : View of the JMX Management Console Web Application
Look at some of the other MBeans and their listed operations; try changing some of the configuration attributes and see what happens. With a very few exceptions, none of the changes made through the console are persistent. The original configuration will be reloaded when you restart JBoss, so you can experiment freely without doing any permanent damage.
Note
If you installed JBoss using the graphical installer, the JMX Console will prompt you for a username and password before you can access it. If you installed using other modes, you can still configure JMX Security manually. We will show you how to secure your console in “Security Service”.
Hot-deployment of services in JBoss
Hot-deployable services are those which can be added to or removed from the running server. These are placed in the JBOSS_DIST/jboss-as/server/<instance-name>/deploy
directory. Let’s have a look at a practical example of hot-deployment of services in JBoss before we go on to look at server configuration issues in more detail.
Start JBoss if it isn’t already running and take a look at the server/production/deploy
directory. Remove the mail-service.xml
file and watch the output from the server:
13:10:05,235 INFO [MailService] Mail service 'java:/Mail' removed from JNDI
Then replace the file and watch JBoss re-install the service:
13:58:54,331 INFO [MailService] Mail Service bound to java:/Mail
This is hot-deployment in action.
Basic Configuration Issues
Now that we have examined the JBoss server, we will take a look at some of the main configuration files and what they are used for. All paths are relative to the server configuration directory (server/production
, for example).
Core Services
The core services specified in the conf/jboss-service.xml
file are started first when the server starts up. If you have a look at this file in an editor you will see MBeans for various services including logging, security, JNDI, JNDIView etc. Try commenting out the entry for the JNDIView
service.
Note that because the mbeans definition had nested comments, we had to comment out the mbean in two sections, leaving the original comment as it was.
<!-- Section 1 commented out <mbean code="org.jboss.naming.JNDIView" name="jboss:service=JNDIView" xmbean-dd="resource:xmdesc/JNDIView-xmbean.xml"> --> <!-- The HANamingService service name --> <!-- Section two commented out <attribute name="HANamingService">jboss:service=HAJNDI</attribute></mbean> -->
If you then restart JBoss, you will see that the JNDIView
service no longer appears in the JMX Management Console (JMX Console) listing. In practice, you should rarely, if ever, need to modify this file, though there is nothing to stop you adding extra MBean entries in here if you want to. The alternative is to use a separate file in the deploy
directory, which allows your service to be hot deployable.
Logging Service
In JBoss log4j
is used for logging. If you are not familiar with the log4j
package and would like to use it in your applications, you can read more about it at the Jakarta web site (http://jakarta.apache.org/log4j/).
Logging is controlled from a central conf/jboss-log4j.xml
file. This file defines a set of appenders specifying the log files, what categories of messages should go there, the message format and the level of filtering. By default, JBoss produces output to both the console and a log file (log/server.log
).
There are 5 basic log levels used: DEBUG
, INFO
, WARN
, ERROR
and FATAL
. The logging threshold on the console is INFO
, which means that you will see informational messages, warning messages and error messages on the console but not general debug messages. In contrast, there is no threshold set for the server.log
file, so all generated logging messages will be logged there.
If things are going wrong and there doesn’t seem to be any useful information in the console, always check the server.log
file to see if there are any debug messages which might help you to track down the problem. However, be aware that just because the logging threshold allows debug messages to be displayed, that doesn't mean that all of JBoss will produce detailed debug information for the log file. You will also have to boost the logging limits set for individual categories. Take the following category for example.
<!-- Limit JBoss categories to INFO -->
<category name="org.jboss">
<priority value="
INFO
"/>
</category>
This limits the level of logging to INFO
for all JBoss classes, apart from those which have more specific overrides provided. If you were to change this to DEBUG
, it would produce much more detailed logging output.
As another example, let’s say you wanted to set the output from the container-managed persistence engine to DEBUG
level and to redirect it to a separate file, cmp.log
, in order to analyze the generated SQL commands. You would add the following code to the conf/jboss-log4j.xml
file:
<appender name="CMP" class="org.jboss.logging.appender.RollingFileAppender"> <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/> <param name="File" value="${jboss.server.home.dir}/log/cmp.log"/> <param name="Append" value="false"/> <param name="MaxFileSize" value="500KB"/> <param name="MaxBackupIndex" value="1"/> <layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d %-5p [%c] %m%n"/> </layout> </appender> <category name="org.jboss.ejb.plugins.cmp"> <priority value="DEBUG" /> <appender-ref ref="CMP"/> </category>
This creates a new file appender and specifies that it should be used by the logger (or category) for the package org.jboss.ejb.plugins.cmp
.
The file appender is set up to produce a new log file every day rather than producing a new one every time you restart the server or writing to a single file indefinitely. The current log file is cmp.log
. Older files have the date they were written added to their filenames. Please note that the log
directory also contains HTTP request logs which are produced by the web container.
Security Service
The security domain information is stored in the file conf/login-config.xml
as a list of named security domains, each of which specifies a number of JAAS [1] login modules which are used for authentication purposes in that domain. When you want to use security in an application, you specify the name of the domain you want to use in the application’s JBoss-specific deployment descriptors, jboss.xml
(used in defining jboss specific configurations for an application) and/or jboss-web.xml
(used in defining jboss for a Web application. We'll quickly look at how to do this to secure the JMX Console application which ships with JBoss.
Almost every aspect of the JBoss server can be controlled through the JMX Console, so it is important to make sure that, at the very least, the application is password protected. Otherwise, any remote user could completely control your server. To protect it, we will add a security domain to cover the application. This can be done in the jboss-web.xml
file for the JMX Console, which can be found in deploy/jmx-console.war/WEB-INF/
directory. Uncomment the security-domain
in that file, as shown below.
<jboss-web> <security-domain>java:/jaas/jmx-console</security-domain> </jboss-web>
This links the security domain to the web application, but it doesn't tell the web application what security policy to enforce, what URLs are we trying to protect, and who is allowed to access them. To configure this, go to the web.xml
file in the same directory and uncomment the security-constraint
that is already there. This security constraint will require a valid user name and password for a user in the JBossAdmin
group.
<!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console. --> <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description> An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint>
That's great, but where do the user names and passwords come from? They come from the jmx-console
security domain we linked the application to. We have provided the configuration for this in the conf/login-config.xml
.
<application-policy name="jmx-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="usersProperties"> props/jmx-console-users.properties </module-option> <module-option name="rolesProperties"> props/jmx-console-roles.properties </module-option> </login-module> </authentication> </application-policy>
This configuration uses a simple file based security policy. The configuration files are found in the conf/props
directory of your server configuration. The usernames and passwords are stored in the conf/props/jmx-console-users.properties
file and take the form "username=password
". To assign a user to the JBossAdmin
group add "username=JBossAdmin
" to the jmx-console-roles.properties
file (additional roles on that username can be added comma separated). The existing file creates an admin
user with the password admin
. For security, please either remove the user or change the password to a stronger one.
JBoss will re-deploy the JMX Console whenever you update its web.xml
. You can check the server console to verify that JBoss has seen your changes. If you have configured everything correctly and re-deployed the application, the next time you try to access the JMX Console, it will ask you for a name and password. [2]
The JMX Console isn't the only web based management interface to JBoss. There is also the Web Console. Although it's a Java applet, the corresponding web application can be secured in the same way as the JMX Console. The Web Console is in the file deploy/management/console-mgr.sar/web-console.war.
. The only difference is that the Web Console is provided as a simple WAR file instead of using the exploded directory structure that the JMX Console did. The only real difference between the two is that editing the files inside the WAR file is a bit more cumbersome.
[1]The Java Authentication and Authorization Service. JBoss uses JAAS to provide pluggable authentication modules. You can use the ones that are provided or write your own if you have more specific requirements.
[2] Since the username and password are session variables in the web browser you may need to restart your browser to use the login dialog window.
Comments