jboss.jcml has clear text passwords all over the place so I don't see that as a major problem. A password in the config file is better than no password at all. What do you mean by "sun JMX adaptor has authorization capability, but it is not accessible via the MBean"? Is the source available?
----- Original Message ----- From: "Fred Loney" <[EMAIL PROTECTED]> To: "Guy Rouillier" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, November 15, 2001 1:15 PM Subject: Re: [JBoss-user] Security > The sun JMX adaptor has authorization capability, but it is not > accessible via the MBean. The easiest way to add security is to wrap the > HtmlAdaptorServer in an MBean that initializes authorization. I've done > something similar in a different context, and am willing to submit such > a contribution if there is sufficient interest. The service config > would be: > > <mbean code="org.jboss.jmx.server.HtmlAdaptorService" > name="Adaptor:name=html"> > <constructor> > <arg type="int" value="8082"/> // port > <arg type="java.lang.String" value="myuserid"/> > <arg type="java.lang.String" value="mypasswd"/> > </constructor> > <attribute ... // base attributes > > The obvious flaw is a plaintext password in the config file. Clearly the > password should not be a true system password. As long as the server > config file is protected, this provides a modicum of security. The MBean > could expose an addAuthorization and removeAuthorization operation as > well with an argument in "name/password" format. > > The html config service is then restricted behind a firewall or in the > absence of a firewall. > > An alternative that enables config outside the firewall is to build a > jsp page that accesses the MBeanServer (cf. > http://www.javaworld.com/javaworld/jw-06-2001/jw-0608-jmx.html) and then > secure that page. > > Fred Loney > Spirited Software, Inc. > www.spiritedsw.com > > ----- Original Message ----- > From: "Guy Rouillier" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, November 15, 2001 7:57 AM > Subject: Re: [JBoss-user] Security > > > > On a related note, I like the JMX management capability, so I don't > want to > > disable it completely, but I'd like to limit who can get to it. > > > > (1) Apparently, the page as delivered has no security - there is no > > userid/password specified in jboss.jcml, and there is no log on page. > Is it > > possible to configure so a userid and password are required? > > > > (2) If the answer to (1) is no, where is the source for the management > page? > > I"m assuming this is com.sun.jdmk.comm.HtmlAdaptorServer, as I looked > at > > org.jboss.jmx.server.JMXAdaptorService and > > org.jboss.jmx.server.RMIConnectorService and they are just concerned > with > > connections. Is the source available? If so, I'd like to modify it > to > > request a userid and password, if those two values are specified in > > jboss.jcml. > > > > ----- Original Message ----- > > From: "Lennart Petersson" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Thursday, November 15, 2001 8:25 AM > > Subject: SV: [JBoss-user] Security > > > > > > Look in conf/jboss.jcml: > > <mbean code="com.sun.jdmk.comm.HtmlAdaptorServer" > > name="Adaptor:name=html"> > > <attribute name="MaxActiveClientCount">10</attribute> > > <attribute name="Parser" /> > > <attribute name="Port">8082</attribute> > > </mbean> > > > > Shouldn't it be possible to just comment it out, or? > > /Lennart > > ----- Original Message ----- > > From: jquest jquest <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > Sent: Thursday, November 15, 2001 1:26 PM > > Subject: Re: [JBoss-user] Security > > > > > > > > > > Hi, > > > Thanks for this answer. > > > It is possible. > > > I need to know how to disable the 8082 port in jboss config. > > > Is it possible ? > > > > > > > > > >From: Peter Fagerlund <[EMAIL PROTECTED]> > > > >To: jquest jquest <[EMAIL PROTECTED]>, > > > >"[EMAIL PROTECTED]" > <[EMAIL PROTECTED]> > > > >Subject: Re: [JBoss-user] Security > > > >Date: Thu, 15 Nov 2001 13:23:27 +0100 > > > > > > > >on 1-11-15 13.08, jquest jquest at [EMAIL PROTECTED] wrote: > > > > > > > > > Hi all, > > > > > I use jboss as application server. > > > > > I can call http://my.server.ip:8082 and see the setup of jboss. > > > > > How can I disaple this option. > > > > > > > >The recomendation is : > > > >when running a application server, do so behind a firewall ... > > > > > > > >/peter_f > > > > > > > > > > > > > _________________________________________________________________ > > > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp > > > > > > > > > _______________________________________________ > > > JBoss-user mailing list > > > [EMAIL PROTECTED] > > > https://lists.sourceforge.net/lists/listinfo/jboss-user > > > > > > _______________________________________________ > > JBoss-user mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/jboss-user > > > > > > _______________________________________________ > > JBoss-user mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/jboss-user > > > _______________________________________________ > JBoss-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-user _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
