JBoss-4.2.2.GA安全机制
?JBoss-4.2.2.GA默认部署了jmx-console和web-console,并且不需要密码即可访问,这样就存在安全隐患,容易造成攻击,故我们需要为这些部署加入安全机制。下面步骤分别针对jmx-console和web-console进行设置:
1.????? 设置jmx-console安全机制
a)????? 编辑deploy/jmx-console.war/WEB-INF/jboss-web.xml,搜寻到如下内容,并取消注释
<security-domain>java:/jaas/jmx-console</security-domain>
b)????? 编辑deploy/jmx-console.war/WEB-INF/web.xml,搜寻到如下内容,并取消注释
<security-constraint>
? <web-resource-collection>
? ? <web-resource-name>HtmlAdaptor</web-resource-name>
?? ?<description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application
??? </description>
??? <url-pattern>/*</url-pattern>
??? <http-method>GET</http-method>
??? <http-method>POST</http-method>
? </web-resource-collection>
? <auth-constraint>
? <role-name>JBossAdmin</role-name>
? </auth-constraint>
</security-constraint>
c)????? 打开conf/login-config.xml,搜寻到如下内容,检查usersProperties 和rolesProperties 对应的文件路径,默认是conf/props/jmx-console-users.properties和conf/props/jmx-console-roles.properties
<application-policy name = "jmx-console">
??? <authentication>
????? <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
??????????? flag = "required">
????? <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
?????? <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
?????? </login-module>
?? </authentication>
</application-policy>
d)????? 编辑conf/props/jmx-console-users.properties,设置有权限访问jmx-console的用户和密码,格式为“用户名=密码”,默认该文件内容为admin=admin
e)????? 编辑conf/props/jmx-console-roles.properties,设置上一步定义的用户角色,格式为“用户名=角色1,角色2”,默认该文件内容为 admin=JBossAdmin,HttpInvoker
2.????? 设置web-console安全机制
a)????? 编辑deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml,搜寻到如下内容,并取消注释
<security-domain>java:/jaas/web-console</security-domain>
b)????? 编辑deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml,搜寻到如下内容,并取消注释
<security-constraint>
?? <web-resource-collection>
?? ??? <web-resource-name>HtmlAdaptor</web-resource-name>
?? ?<description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application
?? ?</description>
?? ??? <url-pattern>/*</url-pattern>
?? ??? <http-method>GET</http-method>
?? ??? <http-method>POST</http-method>
?? </web-resource-collection>
?? <auth-constraint>
?? ??? <role-name>JBossAdmin</role-name>
?? </auth-constraint>
?</security-constraint>
c)????? 打开conf/login-config.xml,搜寻到如下内容,检查usersProperties 和rolesProperties 对应的文件路径,默认是deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties和deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/props/web-console-roles.properties???
<application-policy name = "web-console">
? <authentication>
??? <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
???????????? flag = "required">
??? <module-option name="usersProperties">web-console-users.properties</module-option>
??? <module-option name="rolesProperties">web-console-roles.properties</module-option>
??? </login-module>
? </authentication>
</application-policy>
d)????? 编辑deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties,设置有权限访问web-console的用户和密码,格式为“用户名=密码”,默认该文件内容为admin=admin
e)????? 编辑deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-roles.properties,设置上一步定义的用户角色,格式为“用户名=角色1,角色2”,默认该文件内容为 admin=JBossAdmin,HttpInvoker
配置完成,重启JBoss
?
原文参考:http://blog.csdn.net/acylas/article/details/2326098
