JBoss- 4.2.2 .GA默认部署了jmx-console和web-console,并且不需要密码即可访问,这样就存在安全隐患,容易造成攻击,故我们需要为这些部署加入安全机制。下面步骤分别针对jmx-console和web-console进行设置:
1. 设置jmx-console安全机制
a) 编辑deploy/jmx-console.war/WEB-INF/jboss-web.xml,搜寻到如下内容,并取消注释
<security-domain>java:/jaas/jmx-console</security-domain>
b) 编辑deploy/jmx-console.war/WEB-INF/web.xml,搜寻到如下内容,并取消注释
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
c) 打开conf/login-config.xml,搜寻到如下内容,检查usersProperties 和rolesProperties 对应的文件路径,默认是conf/props/jmx-console-users.properties和conf/props/jmx-console-roles.properties
<application-policy name = "jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">props/jmx-console-users.properties</module-option>
<module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
d) 编辑conf/props/jmx-console-users.properties,设置有权限访问jmx-console的用户和密码,格式为“用户名=密码”,默认该文件内容为admin=admin
e) 编辑conf/props/jmx-console-roles.properties,设置上一步定义的用户角色,格式为“用户名=角色1,角色 2” ,默认该文件内容为 admin=JBossAdmin,HttpInvoker
2. 设置web-console安全机制
a) 编辑deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml,搜寻到如下内容,并取消注释
<security-domain>java:/jaas/web-console</security-domain>
b) 编辑deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml,搜寻到如下内容,并取消注释
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
c) 打开conf/login-config.xml,搜寻到如下内容,检查usersProperties 和rolesProperties 对应的文件路径,默认是deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties和deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/props/web-console-roles.properties
<application-policy name = "web-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">web-console-users.properties</module-option>
<module-option name="rolesProperties">web-console-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
d) 编辑deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties,设置有权限访问web-console的用户和密码,格式为“用户名=密码”,默认该文件内容为admin=admin
e) 编辑deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-roles.properties,设置上一步定义的用户角色,格式为“用户名=角色1,角色 2” ,默认该文件内容为 admin=JBossAdmin,HttpInvoker
配置完成,重启JBoss