5.3. Post Installation Security Configuration
When installed from the zip archive, all JBoss services require authentication to access most JBoss services, including administrative services. Additionally no user accounts are set up. This is to stop default user/password-based attacks.
Accounts for the jmx-console and the invokers can be set up by modifying:
$JBOSS_HOME/server/$CONFIG/conf/props/jmx-console-users.properties
Accounts for web-console users can be set up by modifying:
$JBOSS_HOME/server/$CONFIG/deploy/management/console-mgr.sar/
web-console.war/WEB-INF/classes/web-console-users.properties
Where $JBOSS_HOME is the install directory and $CONFIG is the server configuration being used.
It is also possible to disable authentication on specific services. All specified paths in the sections below are relative to $JBOSS_HOME.
To disable authentication for the JMX console, edit the following file and comment out the security-constraint section:
server/$CONFIG/deploy/jmx-console.war/WEB-INF/web.xml
The following fragment should be commented out:
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows
users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
To disable authentication for the Web console, edit the following file to comment out the security-constraint section:
server/$CONFIG/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
The following fragment should be commented out:
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows
users with the role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
To disable authentication for the http invoker, JNDIFactory, EJBInvokerServlet, and JMXInvokerServlet need to be removed from the security realm in the file:
server/$CONFIG/deploy/httpha-invoker.sar/invoker.war/WEB-INF/web.xml
For example, the security-constraint element should look as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>HttpInvokers</web-resource-name>
<description>An example security config that only allows
users with the role HttpInvoker to access the HTTP invoker servlets
</description>
<url-pattern>/restricted/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>HttpInvoker</role-name>
</auth-constraint>
</security-constraint>
To disable authentication for the JMX invoker, edit the following file to comment out the security interceptor passthrough:
server/$CONFIG/deploy/jmx-invoker-service.xml
Locate the mbean section with the class org.jboss.jmx.connector.invoker.InvokerAdaptorService. In that section comment out the line that relates to authenticated users:
<descriptors>
<interceptors>
<!-- Uncomment to require authenticated users -->
<interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
securityDomain="java:/jaas/jmx-console"/>
<!-- Interceptor that deals with non-serializable results -->
<interceptor code="org.jboss.jmx.connector.invoker.SerializableInterceptor"
policyClass="StripModelMBeanInfoPolicy"/>
</interceptors>
</descriptors>