It’s strongly recommended to take some security measures to restrict access to jmx-console and web-console  of Jboss, particularly wether you have and old Jboss version(under  6.x  and specially 4.x), because from them it’s possible to change a lot of parameters in Jboss configuration and only we should have access to that.

Beside some days ago a new worm that exploit an old vulnerability(CVE-2010-0738) appeared. This worm take advantage of the method to handle http requests and the standard security constraints that usually sysadmins configure, blocking only get and post http requests to jmx-console and web-console. For more details  you can see this statement.

The first step is enable autenthication through security constraints:

1. Edit $JBOSS_HOME/PROFILE/deploy/jmx-console.war/WEB-INF /web.xml

And uncomment the following lines:

       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application




Take careful with the value of  <real-name> because it has to match with  <login-config> inside  $JBOSS_HOME/server/PROFILE/conf/login-config.xml which  define the authentication method . User and password are defined in text plain  (take careful with this and set strict file permissions access)  $JBOSS_HOME/server/PROFILE/conf/props/ The user who set in the file have to be JBossAdmin role as we set in web.xml.

2. Edit $JBOSS_HOME/PROFILE/deploy/jmx-console.war/WEB-INF/jboss-web.xml, for set the domain security name:


3. Edit $JBOSS_HOME/server/default/conf/login-config.xml:

and ensure you have this group of lines:

    <application-policy name = "jmx-console">
          <login-module code=""
             flag = "required">
           <module-option name="usersProperties">props/</module-option>
           <module-option name="rolesProperties">props/</module-option>

    <!-- A template configuration for the web-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    <application-policy name = "web-console">
          <login-module code=""
             flag = "required">
             <module-option name="usersProperties"></module-option>
             <module-option name="rolesProperties"></module-option>

In the previous or equal JBoss AS 5.x versions, file web.xml includes a security-constraint  that blocks GET and POST requests:


Drop this lines for apply the security constraints to all of http requests.

You can redeploy making “touch jmx-console.war” without restart the server.

The way to securing the web-console it’s similar:

  • Edit $JBOSS_HOME/PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml y $JBOSS_HOME/server/PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml in the same way that we did with  jmx-console.
  • Edit $JBOSS_HOME/server/PROFILE/conf/props/ in the same way that we did with  jmx-console.
We should to check if both applications have redeployed correctly and ask  user and password.