分享

Securing the JBoss Server

 hh3755 2013-03-30

Securing the JBoss Server

JBoss comes with several admin access points that need to be secured or removed to prevent unauthorized access to admin functions in a deployment. The following sections describe the various admin services and how to secure them.

The jmx-console.war Service

The jmx-console.war found in the deploy directory provides an HTML view into the JMX microkernel. Therefore, it provides access to arbitrary admin-type access, such as shutting down the server, stopping services, deploying new services, and so on. It should either be secured like any other web application or removed.

The web-console.war Service

The web-console.war found in the deploy/management directory is another web application view into the JMX microkernel. This uses a combination of an applet and an HTML view and provides the same level of access to admin functionality as the jmx-console.war. Therefore, it should either be secured or removed. The web-console.war contains commented-out templates for basic security in its WEB-INF/web.xml as well as commented-out setup for a security domain in WEB-INF/jboss-web.xml.

The http-invoker.sar Service

The http-invoker.sar found in the deploy directory is a service that provides RMI/HTTP access for EJBs and the JNDI Naming service. This includes a servlet that processes posts of marshaled org.jboss.invocation.Invocation objects that represent invocations that should be dispatched onto the MBeanServer. This effectively allows access to MBeans that support the detached invoker operation via HTTP because someone could figure out how to format an appropriate HTTP post. To secure this access point, you would need to secure the JMXInvokerServlet servlet found in the http-invoker.sar/invoker.war/ WEB-INF/web.xml descriptor. A secure mapping is defined for the /restricted/ JMXInvokerServlet path by default; to use it, you would simply have to remove the other paths and configure the http-invoker security domain setup in the http-invoker.sar/invoker.war/WEB-INF/jboss-web.xml descriptor.

The jmx-invoker-adaptor-server.sar Service

The jmx-invoker-adaptor-server.sar is a service that exposes the JMX MBeanServer interface via an RMI-compatible interface, using the RMI/JRMP detached invoker service. Currently, the only way for this service to be secured would be to switch the protocol to RMI/HTTP and secure the http-invoker.sar as described in the previous section. In the future, this service will be deployed as an XMBean with a security interceptor that supports role-based access checks. If you are so inclined, you can set up this configuration today, following the procedure demonstrated in the section "Version 3: Adding Security and Remote Access to the JNDIMap XMBean" in Chapter 2, "The JBoss JMX Microkernel."

    本站是提供个人知识管理的网络存储空间,所有内容均由用户发布,不代表本站观点。请注意甄别内容中的联系方式、诱导购买等信息,谨防诈骗。如发现有害或侵权内容,请点击一键举报。
    转藏 分享 献花(0

    0条评论

    发表

    请遵守用户 评论公约

    类似文章 更多