Difference between revisions of "Securing JBoss"

From OpenKM Documentation
Jump to: navigation, search
m
 
(5 intermediate revisions by 2 users not shown)
Line 7: Line 7:
 
   $ vim $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml
 
   $ vim $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml
  
Uncomment the block <security-constraint>. Edit this other configuration file:
+
Uncomment the block <security-constraint> and delete lines <http-method>WHATEVER_METHOD</http-method> inside the block if they are there (see [https://community.jboss.org/wiki/SecureTheJmxConsole this]: CVE-2010-0738). Edit this other configuration file:
  
 
   $ vim $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml
 
   $ vim $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml
Line 22: Line 22:
 
   $ vim $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
 
   $ vim $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
  
Uncomment the block <security-constraint>. Edit this other configuration file:
+
Uncomment the block <security-constraint> and delete lines <http-method>WHATEVER_METHOD</http-method> inside the block if they are there. Edit this other configuration file:
  
 
   $ vim $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml
 
   $ vim $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml
Line 51: Line 51:
 
  $ /etc/init.d/jboss restart
 
  $ /etc/init.d/jboss restart
  
For more info, visit http://jboss.org/community/docs/DOC-12190.
+
For more info, visit:
 +
 
 +
* http://jboss.org/community/docs/DOC-12190.
 +
* http://www.techienuggets.com/Detail?tx=9
  
 
[[Category: Installation Guide]]
 
[[Category: Installation Guide]]

Latest revision as of 17:21, 1 October 2012

When you run JBoss, OpenKM is accessible through the 8080 port. The bad news is that JBoss web console and JMX console is accessible and everybody can read and modify JBoss configuration. This is particularity dangerous if the OpenKM is accessible from Internet.

JMX Console

Edit the configuration file:

 $ vim $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml

Uncomment the block <security-constraint> and delete lines <http-method>WHATEVER_METHOD</http-method> inside the block if they are there (see this: CVE-2010-0738). Edit this other configuration file:

 $ vim $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml

Uncomment the block defined by <security-domain>. Edit the users file:

 $ vim $JBOSS_HOME/server/default/conf/props/jmx-console-users.properties

Change the password of the admin user.

Web Console

Edit the configuration file:

 $ vim $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml

Uncomment the block <security-constraint> and delete lines <http-method>WHATEVER_METHOD</http-method> inside the block if they are there. Edit this other configuration file:

 $ vim $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml

Uncomment the block defined by <security-domain>. Edit also this file:

 $ vim $JBOSS_HOME/server/default/conf/login-config.xml

Change the path of the files web-console-users.properties and web-console-roles.properties (add props/ at the beginning of the file name)

<module-option name="usersProperties">props/web-console-users.properties
</module-option>
<module-option name="rolesProperties">props/web-console-roles.properties
</module-option>

And copy the files to the new location:

$ cp $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-*.properties $JBOSS_HOME/server/default/conf/props

Now all the authentication files are located in the same folder. Edit the users file:

$ vim $JBOSS_HOME/server/default/conf/props/web-console-users.properties

Change the password of the admin user. The last step is restart JBoss:

$ /etc/init.d/jboss restart

For more info, visit: