Securing JBoss Server

Some cases you require secure access to JBOSS Web Console or JMX console.

Following are the guidelines :

Secure JMX Console

1. To secure the JMX Console using a username/password file
2. Locate the jmx-console.war directory. This will normally be in $ (jboss.server.home.dir ) / deploy directory.
3. Edit WEB-INF/web.xml and uncomment the security-constraint block.
4. Edit WEB-INF/classes/jmx-console-users.properties or server/default/conf/props/jmx-console-users.properties (version >=4.0.2) and WEB-INF/classes/jmx-console-roles.properties or server/default/conf/props/jmx-console-roles.properties (version >=4.0.2) and change the users and passwords to what you desire. They will need the JBossAdmin role specified in the web.xml file to run the JMX Console.
5. Edit WEB-INF/jboss-web.xml and uncomment the security-domain block. The security-domain value of jmx-console maps is declared in the login-config.xml JAAS configuration file which defines how authentication and authorization is done.

Securing Web Console

Repeat the above steps for the Web Console but use the following path:

1. $ (jboss.server.home.dir )/ deploy / management/console-mgr.sar/web-console.war/web-inf/jboss-web.xml
2. $ (jboss.server.home.dir )/ deploy / management/console-mgr.sar/web-console.war/web-inf/web.xml
3. $ (jboss.server.home.dir )/ deploy / management/console-mgr.sar/web-console.war/web-inf/classes/web-console-users.properties
4. $ (jboss.server.home.dir )/ deploy / management/console-mgr.sar/web-console.war/web-inf/classes/web-console-roles.properties

Useful Links:

1. http://www.jboss.org/community/wiki/SecureTheJmxConsole
2. https://jira.jboss.org/jira/browse/SECURITY-31