0

I have three jboss server running on live and they are served from one http pool to the outside of my organization.

The problem is about jboss jmx-console security issue. As most of you know, the jboss security bug is published as code of CVE-2010-0738. However, even if I removed the http-method GET and POST lines from web.xml the problem still continues.

Any help would be appreciated.

Thanks a lot.

javatar
  • 4,542
  • 14
  • 50
  • 67
  • So you can still access jmx-console through HEAD HTTP verb? Did you restart server or redeploy jmx-console? Is accessing through GET/POST HTTP verb works correctly? It should without any change. – Robert Balent Jan 03 '13 at 13:19
  • actually I would like to simply close jmx-console because I could not achieve disallowing access outside of my network. In other words, I could not make it restricted for the following url: www.somedomain.com//jmx-console – javatar Jan 03 '13 at 13:26

1 Answers1

0

You can't bind server to external address and disallow access to jmx-console only from local address.

The security of jmx-console is disabled by default in jboss-4.2.3 so you have to activate it. You need to do three steps.

  1. Uncomment the last part web.xml in jmx-console/WEB-INF/web.xml (the part with security-constraint, login-config and security-role)
  2. Uncomment the one line that is in jboss-web.xml ( line)
  3. Change password in server/<profile>/conf/props/jmx-console-users.properties

Now you can access jmx-console only with user and password set in jmx-console-users.properties and with role JBossAdmin in jmx-console-roles.properties

And also don't forget to delete the already mentioned part:

<http-method>GET</http-method>
<http-method>POST</http-method>

And you can also disable jmx-console completely only by deleting whole jmx-console from deploy directory.

Robert Balent
  • 1,452
  • 11
  • 21
  • Thanks at first. However I have already done all security issues as I mentioned in my question above. The problem is not about securing jmx console, rather it is about jmx console security BUG issue which was published a while ago. I mean, even if I removed http-method parts, I am still able to enter jmx-console login page. If you have one please give a try: http://www.yourdomain.com//jmx-console see I used double "/", try it. – javatar Jan 06 '13 at 12:36
  • The BUG you mentioned (CVE-2010-0738) bypass the login page. If server asks for login credentials it's correct behavior. However if you want to prohibit the access to jmx-console you would probably need to insert apache http server between JBoss server and outside the world. – Robert Balent Jan 06 '13 at 23:46