posts - 2, comments - 27, trackbacks - 0, articles - 60
  BlogJava :: 首页 :: 新随笔 :: 联系 :: 聚合  :: 管理

补上JBOSS的远程控制台

Posted on 2009-04-10 16:30 ZhouFeng 阅读(1550) 评论(0)  编辑  收藏 所属分类: 转载Web服务器
下午上班时,发现服务器竟然无法访问,没有停电呀。输入密码,解开x-window的锁定状态,发现jboss确实关闭了,时间是13:23分,发现时间是15:33分。
这是以前没有从未出现过的,查服务器访问日志,原来是有人通过jmx-console远程关闭了服务器,我还从使用过这个功能,倒让人先用了!
我知道,jboss安装默认情况下,jmx-console/web-console不用密码,就可以访问的,但我一直还以为,只能通过 localhost使用这个功能呢,所以就没有想道会有安全问题。我想,Jboss这么专业,这么成熟,这种小问题,自然不用操心,但我错了!
重新启动服务器后,我自己模拟了一下,果然,不到一分钟时间,就找到了jmx- console/HtmlAdaptor?action=inspectMBean& name=jboss.system:type=Server这个页面,其中有一个"shutdown",选择右边的invoke,果然服务器就关闭了。
根据日志分析,一个ip地址为218.79.105.121的朋友,在6月20访问过本站,今天上午10点多,通过baidu读了一篇我的关于Jboss的文章,之后访问试验本站完全开放的jmx-console,试验了3个小时,终于找到了远程关闭服务器的方法。
于是,他在上海徐汇的家中(Adsl,应该是家中吧),远程地关闭了我在架北京郊区自己办公室的服务器。
这么大的漏洞被忽视了,真是汗颜。赶紧补课吧。
SecureTheJmxConsole,这可是Jboss官方文档.上面提示的做法,应当可行。但没有必要那么麻烦。
只要进入jmx-console.war/web-console.war这2个包的WEB-INF,编辑jboss-web.xml, web.xml就可以了。我只是在uncomment相应的部分之后,将jaas domain替换我用的zhuoda.org,并且将security role替换为我用的zduAdmin就都搞定了,不需要理会user.properties, roles-properties二个文件。

转:http://www.zhuoda.org/hofman/21129.html
以下的内容来自SecureTheJmxConsole的链接

Securing the JMX Console and Web Console

Both the jmx-console and web-console are standard servlet 2.3 deployments and can

be secured using J2EE role based security. Both also have a skeleton setup to allow

one to easily enable security using username/password/role mappings found in the

jmx-console.war and web-console.war deployments in the corresponding WEB-INF/classes

users.properties and roles.properties files.

The security setup is based on two pieces, the standard WEB-INF/web.xml servlet URI

to role specification, and the WEB-INF/jboss-web.xml specification of the JAAS configuration which defines how authentication and role mapping is performed.

To secure the JMX Console using a username/password file -

  • Locate the jmx-console.war directory.  This will normally be in server/default/deploy in your JBOSS_HOME directory.

  • edit WEB-INF/web.xml and uncomment the security-constraint block

  • edit WEB-INF/classes/jmx-console-users.properties or server/default/conf/props/jmx-console-users.properties (version >=4.0.2) and WEB-INF/classes/jmx-console-roles.properties or server/default/conf/props/jmx-console-roles.properties (version >=4.0.2) and change the users and passwords to what you desire.  They will need the JBossAdmin role specified in the web.xml file to run the JMX Console.

  • edit WEB-INF/jboss-web.xml and uncomment the security-domain block. The security-domain value of jmx-console maps is declared in the login-config.xml JAAS configuration file which defines how authentication and authorization is done.

To secure the JMX Console using your own JAAS domain -

  • edit WEB-INF/web.xml as above, uncommenting the security-constraint block.  Change the role-name value to be the role in your domain that can access the console

  • edit WEB-INF/jboss-web.xml as above, setting the security domain to be the name of your security domain.  For example, if your login-config.xml has an application-policy whose name is MyDomain then your JAAS domain java:/jaas/MyDomain

  • after making all the changes, redeploy the application.  The application can be redeployed by touching the web.xml file or by restarting the server

The process to secure the web console is similar.  In the deploy directory, locate management/web-console.war and make the same changes as above to to WEB-INF/web.xml,

WEB-INF/jboss-web.xml and the users/groups properties file.  The default JAAS domain used by the web-console is java:/jaas/web-console and is defined in login-config.xml in the conf directory.  You can use a custom JAAS domain or custimize the existing domain in the same way as with the JMX console. Typically you would just use the same domain (java:/jaas/jmx-console) as the jmx-console so that you have a single user/role mapping to configurue.

If you find as I did with 3.2.5 that I couldn't log in, another users.properties is most likely being picked up. Change the web-console login-config.xml entry so that that properties files are uniquely named to avoid ambiguity with which resource is picked up. You also would need to rename the web-console properties files. (see http://www.jboss.org/index.html?module=bb&op=viewtopic&t=53346 )

As an extra level of security you may also want to LimitAccessToCertainClients in a particular IP address range.

-


Update for 4.0.2

The jmx-console-roles.properties and jmx-console-users.properties files have been moved to server"default"conf"props. This is because of the change to use the servlet 2.3 class loading model and these properties files would not be visible to the other deployments using the jmx-console security domain. You can  move the files from conf"props to WEB-INF"classes, or leave them in place and edit the password for admin.

Similarly for the web console, please note that the web console is unpacked already in the default server configuration as deploy/management/console-mgr.sar/web-console.war. Proceed to edit the WEB-INF/web.xml and jboss-web.xml files as per securing the JMX console, and either edit the WEB-INF/classes/web-console-roles.properties and web-console-users.properties, or move those files to server"default"conf"props and edit them there.

For the impatient

vi $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml

uncomment the security-constraint block

and add a <login-config> block after the end of the <security-constraint> block:

   <login-config> <auth-method>BASIC</auth-method> <realm-name>JMXConsole</realm-name> </login-config>

vi $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml

Uncomment the security-domain block. Make sure the JNDI name maps to the realm name (i.e. JMXConsole)

vi $JBOSS_HOME/server/default/conf/props/jmx-console-users.properties

change the password for admin

vi $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml

uncomment the security-constraint block

and add a <login-config> block after the end of the <security-constraint> block:

   <login-config> <auth-method>BASIC</auth-method> <realm-name>JMXConsole</realm-name> </login-config>

vi $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml

Uncomment the security-domain block. Make sure the JNDI name maps to the realm name (e.g. JMXConsole)

vi $JBOSS_HOME/server/default/conf/login-config.xml

Change the path to the web-console-users.properties and the web-console-roles.properties as follows (add props/ to the front of the path)

             <module-option name="usersProperties">props/web-console-users.properties</module-option>

             <module-option name="rolesProperties">props/web-console-roles.properties</module-option>

cp $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-.properties $JBOSS_HOME/server/default/conf/props

edit as needed

cp $JBOSS_HOME/server/default/conf/props/jmx-console-roles.properties $JBOSS_HOME/server/default/conf/props/web-console-roles.properties

edit as needed

edit $JBOSS_HOME/server/default/conf/login-config.xml, find the jmx-console and web-console applicaiton-policy, and set the name to jmx-console and web-console, respectively. That is make sure that the application policy name maps to the realm name (i.e. JMXConsole)

restart jboss


Additional to secure jmx-console and web-console authentication via SSL

  • must perform the above steps to enable http authenication ...

   the following steps below will redirect jboss admin pages to https://localhost:8443

  • edit both web.xml to include the following just before end of tag security-constraint

   <security-constraint>   ...   <user-data-constraint>     <transport-guarantee>CONFIDENTIAL</transport-guarantee>   </user-data-constraint> </security-constraint>

  • generate /data01/jboss/server/xxxx/conf/keystore and select your own new secure password

(@see creating SSL keystore using the java keytool - http://www.informit.com/articles/article.asp?p=407886)

or quick setup and verify via

$ keytool -genkey -keystore /data01/jboss/server/xxx/conf/keystore -alias jbossAdmin $ keytool -list -keystore /data01/jboss/server/xxx/conf/keystore

$vi /data01/jboss/server/xxx/deploy/jbossweb-tomcat50.sar/server.xml

  • secure file permission via chmod 600 server.xml

  • uncomment section "SSL/TLS Connector" to enable Connector port="8443"

  • replace keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"

  with    keystoreFile="${jboss.server.home.dir}/conf/keystore"

  • replace keystorePass="rmi+ssl" sslProtocol = "TLS" />

  with    keystorePass="



只有注册用户登录后才能发表评论。


网站导航: