Attached is an outline for a document on securing a default JBoss distribution.
It is really only listing the services that can allow access to admin and config
aspects of JBoss. The completed version will be available through the
sourceforge docs section. If there are any other access points that need to be
documented let me know.
--
xxxxxxxxxxxxxxxxxxxxxxxx
Scott Stark
Chief Technology Officer
JBoss Group, LLC
xxxxxxxxxxxxxxxxxxxxxxxx
Title: Securing JBoss
Securing a Default JBoss Installation
The default JBoss distribution does not impose any default security to
the admin tools deployed with the default and all configurations. The
services that allow access to the JBoss server that may need to be
secured or removed include:
NamingService
The JNDI naming service is not secured by default and allows access to
the JBoss JNDI tree on port 1099. You can change the port and interface
which the naming service is bound on, as well as add role based
security using a custom XMBean configuration.
RMI Adaptor
A proprietary RMI adaptor for accessing the JBoss JMX MBeanServer. This
is a standard RMI service that can only be secured by specifying the
port and interface on which service runs. Its functionality is
superceeded by the RMI Invoker Adaptor which does allow for role based
or custom security and will be dropped as of the 3.2.2 release.
RMI Invoker Adaptor
A proprietary adaptor that provides an RMI interface to the JBoss JMX
MBeanServer over any protocol for which a detached inovoker exists. The
default configuration uses RMI/JRMP. This service can be secured by
specifying the interface and port on which the service runs as well as
by adding role based or custom security using an XMBean.
JMX Console
The JMX console provides and HTML interface to the JBoss JMX
MBeanServer. It is a standard web application and can be configured to
use role based security as any other web application.
Web Console
The web console provides and alternate HTML interface to the JBoss JMX
MBeanServer. It is a standard web application and can be configured to
use role based security as any other web application.
HSQL DB
The Hypersonic embedded database has run with a TCP/IP connector on
port 1701 with a default login. This service can be secured by chaning
the interface, port and login. You can also disable the TCP/IP
connector and this is the default configuration as of JBoss 3.2.2.
EJB Connector
A proprietary adaptor that provides an EJB interface to the JBoss JMX
MBeanServer. Its functionality is superceeded by the standard EJB
inteface provided by the EJB Management Connector. This service will be
dropped as of the 3.2.2 release.
EJB Management Connector
An implementation of the JSR-77 EJB connector for accessing JMX
MBeanServers. This is a standard stateless session EJB and can be
secured like any other EJB.