Hardening the JMX Console

Out of the box jmx-console and the web console are accessible to anyone who can access your server via the following url: http://yourserver:8080/jmx-console.

The good news is that both jmx-console and web-console are standard servlet so they can be protected easily by enabling the security-constraint.
Our example uses the default server model.

This page is critical Jboss JMX has super abilities such as server shutdown, restart, etc, It is crucial to protect these options in order to avoid anonymous actions against the server.

1. edit \server\default\deploy\jmx-console.war\WEB-INF\web.xml and uncomment the security-constraint

<!-- A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console. -->


<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>


<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JBoss JMX Console</realm-name>
</login-config>

<security-role>
<role-name>JBossAdmin</role-name>
</security-role>

2. Edit \server\default\deploy\jmx-console.war\WEB-INF\jboss-web.xml. Uncomment the following block:

<security-domain>java:/jaas/jmx-console</security-domain>

3. Edit \server\default\conf\props\jmx-console-roles.properties
This file defines the roles assigned to each user, in the section above we specified that the JBossAdmin role is required in order to access the JMX

This file structure is as follows:
user = role1,role2

4. Edit \server\default\conf\props\jmx-console-users.properties
This file defines the users and their passwords

This file structure is as follows:
user = password

Hardening the Web Console

5. While you are in directory make copies of the two jmx-console properties files and call them web-console-roles.properties and web-console-users.prperties respectively.

6. The property files for web-console currently exist under \server\default\deploy\management\console-mgr.sar\web-console.war\WEB-INF\classes.
Repeat the procedures 1 and 2 for jboss-web.xml and web.xml in Web-console.war.

7. Edit \server\default\conf\login-config.xml
Change the path of the properties files by modifying this line:

<module-option name="usersProperties">props/web-console-users.properties</module-option> <module-option name="rolesProperties">props/web-console-roles.properties</module-option>

8. In the above you need to add the props/ because this is missing in the original file. If you do not do this the login procedure will look for the properties file under web-console.war\WEB-INF\classes and if you have not renamed the properties file there it will try and use those.
Remember to bounce JBoss after you are done.

Changing usernames and passwords You may want to change the username/password of the admin. It should be done in 2 places: For JMX console : jboss-4.2.1.GA/server/default/conf/props/jmx-console-users.properties, and jmx-console-roles.properties (specify here the appropriate admin name) For webconsole : : jboss-4.2.1.GA/server/default/conf/props/web-console-users.properties and web-console-roles.properties (specify here the appropriate admin name)