Resource Security in OutSystems J2EE Platform

Resource Security in OutSystems J2EE Platform

  
EDIT: New & Updated post here: http://www.outsystems.com/forums/discussion/10479/tip-activating-admin-console-and-jmx-console-in-jboss-5-x-and-securing-access/

---

Within an OutSystems J2EE installation in order to have sensible resources protected from unauthorized access one should apply security measures to the entitled resources. From the Tomcat web server perspective this configuration could be applied to the entire server or in a per service basis. Following section will expose the procedure in which the filtering process is done based on network IP address.

---------------------------------------------------------------------------------------------------------------------------------------------------------------

In case you need to apply a security setting that limits the access to any server resource the following should be done:

Create a file named "context.xml" owned by jboss user with the following content:

<Context debug="1" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="172.16.*.*,192.169.*.*" deny="" />
</Context>

The allow parameter contains the networks from which the access to the server resources are allowed.

Place context.xml file in the following location:

/opt/jboss-4.0.3SP1/server/outsystems/deploy/jbossweb-tomcat55.sar/ROOT.war/WEB-INF

Restart JBoss and Outsystems services.

---------------------------------------------------------------------------------------------------------------------------------------------------------------

Next we will explain how to apply security settings to limit the access to Stutus, JMX-Console, Web-Console and Ws4ee, since these services are by default available to everyone after being deployed.

To restrict the access to Status which can be obtained following the links provided below:

http://www.someServer.pt/status
http://www.someServer.pt/status?full=true
http://www.someServer.pt/status?XML=true

one should copy the former presented "context.xml" file to directory:

/opt/jboss-4.0.3SP1/server/outsystems/deploy/jbossweb-tomcat55.sar/ROOT.war/WEB-INF

-------------------------------------------------------

To restrict the access to JMX-Console which normally is located in:

http://www.someServer.pt/jmx-console/

one should copy the former presented "context.xml" file to directory:

/opt/jboss-4.0.3SP1/server/outsystems/deploy/jmx-console.war/WEB-INF

-------------------------------------------------------

To restrict the access to Web-Console which is normally located in:

http://www.someServer.pt/web-console/

one should copy the former presented context.xml" file to directory:

/opt/jboss-4.0.3SP1/server/outsystems/deploy/management/console-mgr.sar/web-console.war/WEB-INF

-------------------------------------------------------

To restrict the access to Ws4ee located in:

http://www.someServer.pt/ws4ee

the following should be accomplished:

1) As user jboss create in case it doesn't exist the directory:

/opt/jboss-4.0.3SP1/server/outsystems/deploy/jboss-ws4ee.sar/WEB-INF

copy the former presented "context.xml file to it.

2) Backup file:

/opt/jboss-4.0.3SP1/server/outsystems/deploy/jboss-ws4ee.sar/jboss-ws4ee.war

to prevent a rollback procedure in case of need.

3) Change the working directory to:

/opt/jboss-4.0.3SP1/server/outsystems/deploy/jboss-ws4ee.sar

4) Update the security context with the following command:

jar uf jboss-ws4ee.war WEB-INF/context.xml

Delete the former created directory:

/opt/jboss-4.0.3SP1/server/outsystems/deploy/jboss-ws4ee.sar/WEB-INF/

5) At the end, restart JBoss and OutSystems services.
---------------------------------------------------------------------------------------------------------------------------------------------------------------

With the former provide configuration, whether it is applied to the entire server or to one specific service, an access from an unauthorized network will issue a "403 Forbidden Access" error.

-------------------------------------------------------


That's all for now,

Carlos Cabral