Attached is an outline for a document on securing a default JBoss distribution.
It is really only listing the services that can allow access to admin and config
aspects of JBoss. The completed version will be available through the
sourceforge docs section. If there are any other access points that need to be
documented let me know.

--
xxxxxxxxxxxxxxxxxxxxxxxx
Scott Stark
Chief Technology Officer
JBoss Group, LLC
xxxxxxxxxxxxxxxxxxxxxxxx

Title: Securing JBoss




Securing a Default JBoss Installation

The default JBoss distribution does not impose any default security to the admin tools deployed with the default and all configurations. The services that allow access to the JBoss server that may need to be secured or removed include:

NamingService

The JNDI naming service is not secured by default and allows access to the JBoss JNDI tree on port 1099. You can change the port and interface which the naming service is bound on, as well as add role based security using a custom XMBean configuration.

RMI Adaptor

A proprietary RMI adaptor for accessing the JBoss JMX MBeanServer. This is a standard RMI service that can only be secured by specifying the port and interface on which service runs. Its functionality is superceeded by the RMI Invoker Adaptor which does allow for role based or custom security and will be dropped as of the 3.2.2 release.

RMI Invoker Adaptor

A proprietary adaptor that provides an RMI interface to the JBoss JMX MBeanServer over any protocol for which a detached inovoker exists. The default configuration uses RMI/JRMP. This service can be secured by specifying the interface and port on which the service runs as well as by adding role based or custom security using an XMBean.

JMX Console

The JMX console provides and HTML interface to the JBoss JMX MBeanServer. It is a standard web application and can be configured to use role based security as any other web application.

Web Console

The web console provides and alternate HTML interface to the JBoss JMX MBeanServer. It is a standard web application and can be configured to use role based security as any other web application.

HSQL DB

The Hypersonic embedded database has run with a TCP/IP connector on port 1701 with a default login. This service can be secured by chaning the interface, port and login. You can also disable the TCP/IP connector and this is the default configuration as of JBoss 3.2.2.

EJB Connector

A proprietary adaptor that provides an EJB interface to the JBoss JMX MBeanServer. Its functionality is superceeded by the standard EJB inteface provided by the EJB Management Connector. This service will be dropped as of the 3.2.2 release.

EJB Management Connector

An implementation of the JSR-77 EJB connector for accessing JMX MBeanServers. This is a standard stateless session EJB and can be secured like any other EJB.

Reply via email to