Read Only User For Jmx-Console In JBoss

One of the important applications that is provided by JBoss is the jmx-console application. The application is available in the deploy location of jboss. We can use jmx-console application for obtaining many details like connection pool settings, Application Status and many more. Besides these features there are some operations that should not be performed using this like starting and stopping a server, application e.t.c.

When we use this jmx-console application in production, that should be password protected.

But there is no log out available for the jmx-console. Since the jmx-console use BASIC authentication .The only way it could have a log out is to switch the authentication to FORM which is not available in jBoss 5.

The Default Session Timeout is set to 30 minutes for all application in JBoss which is available in this location.

/config/jboss/ewp/5.0/domains/<Domain>/<server Name> /deployers/jbossweb.deployer/web.xml

So for the next 30 minutes, the jmx console is open

We can add Session Time out element to the web.xml for jmx-console.war file

<session-config> <session-timeout>30</session-timeout> </session-config>

It automatically logs out aft>1.jmx-console application is available in the deploy directory.

Go to  /deploy/jmx-console.war/WEB-INF" Location. We need to modify 2 files here

     a. In web.xml: uncomment the following section:

For this we can configure users only for jmx-console. These users can access the jmx-console but could not perform any sort of operation on them.

1.jmx-console application is available in the deploy directory.

Go to  /deploy/jmx-console.war/WEB-INF" Location. We need to modify 2 files here

     a. In web.xml: uncomment the following section:

                     

<security-constraint>

     <web-resource-collection>

       <web-resource-name>HtmlAdaptor</web-resource-name>

       <description>An example security config that only allows users with the

         role JBossAdmin to access the HTML JMX console web application

       </description>

       <url-pattern>/*</url-pattern>

       <http-method>GET</http-method>

       <http-method>POST</http-method>

     </web-resource-collection>

     <auth-constraint>

       <role-name>JBossAdmin</role-name>

     </auth-constraint>

   </security-constraint>

2.Un comment the filter 

  <filter>

      <filter-name>JmxOpsAccessControlFilter</filter-name>

      <filter-class&g>

      <init-param>

        <description>Comma-delimited Roles that define the JMX Operation denoting updation of Attributes</description>         <param-name>updateAttributes</param-name>

        <param-value>UpdateAttributeRole</param-value>

      </init-param>

      <init-param>

        <description>Comma-delimited Roles that define the JMX Operation denoting Invocation of Operations</description>

        <param-name>invokeOp</param-name>

        <param-value>InvokeOpRole</param-value>

      </init-param>

   </filter>

   <filter-mapping>

      <filter-name>JmxOpsAccessControlFilter</filter-name>

      <servlet-name>HtmlAdaptor</servlet-name>

   </filter-mapping>

NOTE : Make sure the elements in the Filter are in order. Description element must be the first element in the <init-param> element (when these elements are not in order, the jmx-console is not loading. I did not find any reason for this,still searching ).

b. in Jboss- -web.xml uncomment the following section:

         

<jboss-web>

   <!-- Uncomment the security-domain to enable security. You will

      need to edit the htmladaptor login configuration to setup the

      login modules used to authentication users. -->

   <security-domain>java:/jaas/jmx-console</security-domain>

</jboss-web>

At this point we need to make sure that the security domain points to java:/jaas/jmx-console

3. Go to jmx-invoker-service.xml : Path -->"/deploy/jmx-invoker-service.xml"

Even though we password protect the jmx-console, application teams can still use the twiddle tool to perform operations on the JBoss server. This is because jmx-console is a HTTP based application and twiddle tool invokes operations using the jmx invoker layer. The

4. Add Users to the Files 

          Uncomment the following section:

<interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"                     securityDomain="java:/jaas/jmx-console"/>

4. Add Users to the Files 

jmx-console-users.properties & jmx-console-roles.properties in  /config/jboss/ewp/5.0/domains/wtg/WTG-A2/conf/props like ,

localhost:root-props $ cat jmx-console-users.properties

# A sample users.properties file for use with the UsersRolesLoginModule

admin=sample

readOnlyUserName=password

localhost:root-props $ cat jmx-console-roles.properties

# A sample roles.properties file for use with the UsersRolesLoginModule

admin=JBossAdmin,HttpInvoker

readOnlyUserName=JbossAdmin

  

6. Restart the Server.

7. Access the Jmx-console with the new user credentials.

9. Perform an Operation like trying to stop a Web application. It will say ' Access Denied'.