Configure Password access in JBoss Web-Console

Carlos Cabral

Question

In case you want to have your Web-Console configured with username and password access policy take the following steps.

1) Go to directory /opt/jboss-4.0.3SP1/server/outsystems/deploy/management/console-mgr.sar/web-console.war/WEB-INF/

2) Edit file jboss-web.xml, uncomment section <security-domain>java:/jaas/web-console</security-domain> as presented below. This links the security domain to the web application, but it doesn't tell the web application what security policy to enforce, what URLs are we trying to protect, and who is allowed to access them.

------------------------------------------------------------------------------------------------

<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application
2.3V2//EN" "https://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">

<jboss-web>


<security-domain>java:/jaas/web-console</security-domain>

<depends>jboss.admin:service=PluginManager</depends>
</jboss-web>

------------------------------------------------------------------------------------------------

3) To configure security policies, URL to protect, and who is allowed to access it, edit file web.xml in the same directory and uncomment the security-constraint that is already there as presented below. This security constraint will require a valid user name and password for a user in the JBossAdmin group.

------------------------------------------------------------------------------------------------



<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>

------------------------------------------------------------------------------------------------

4) User names and passwords come from web-console security domain we linked the application to.

Configuration for this lies in file placed in directory /opt/jboss-4.0.3SP1/server/outsystems/conf/login-config.xml.
This configuration uses a simple file based security policy. The configuration files are found in /opt/jboss-4.0.3SP1/server/outsystems/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes of your server configuration.
The usernames and passwords are stored in the web-console-users.properties file and take the form "username=password".
To assign a user to the JBossAdmin group add "username=JBossAdmin" to the web-console-roles.properties.properties file. The existing file has an admin user with the password admin. For security, please either remove the user or change the password to a stronger one.

JBoss will re-deploy the JMX Console whenever you update its web.xml file.

------------------------------------------------------------------------------------------------

That's all for now,

Carlos Cabral

05 Mar 2008

Christophe Dubien

Hi, I have a question about the modification of the JBoss Web-Console password. My Jboss is the version 4.2.0 and I found the password on the file web-console-users.properties. But this password is encrypted ! Anyone know the procedure to encrypt a new Web-Console password?
Thanks.

26 Jan 2010

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.

See the full guidelines