aspose file tools*
The moose likes JBoss/WildFly and the fly likes implementing secured jboss deployment Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "implementing secured jboss deployment " Watch "implementing secured jboss deployment " New topic
Author

implementing secured jboss deployment

Abhishek Mhptr
Ranch Hand

Joined: Aug 09, 2009
Posts: 33
Hi All,

i need to make the Jboss environment(running in linux machine)secured,
which would make sure that unwanted data doesnt get deployed in JBoss.

if anyone tries to deploy some files in jboss,
it should ask for a security code or password.

The whole thing is to make the Jboss environment secured with some
security code or password.

kindly help me out in achieving this.


Thanks in advance.
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10102
    
165

See this

[My Blog] [JavaRanch Journal]
Abhishek Mhptr
Ranch Hand

Joined: Aug 09, 2009
Posts: 33
thank you so much for the reply..

i went through the topics in the link.

but i couldn't find my answer.

will you please help me out in achieving the requirement???
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5830
    
    7

Create an account in Linux, say "jboss", and give that account exclusive rights to JBOSS_HOME (set access right to 600 or 700). Use that account to run JBoss AS. Now only someone who knows the password to the "jboss" account can deploy anything.

It is also a good idea to also follow the security settings outlined in the link that Jaikiran posted so that could restrict access to the jmx console and other things which will let users get around the restrictions imposed by the "jboss" account.


JBoss In Action
Abhishek Mhptr
Ranch Hand

Joined: Aug 09, 2009
Posts: 33
thank you so much for the reply peter.

your post was absolutely helpful.

Now i have come across an unusual scenario for deploying a WAR file.
(this is just a change request. i am sorry if i am driving you people nuts)

we have a war file which will be given to the client for deploying in to the JBoss server.

if any intruder hacks the war in between and he changes its content before deploying,
the broken WAR file shouldn't get deployed.

The genuine WAR file should only get deployed in JBOSS.

how can we prevent deploying the broken WAR file?

how can we make sure to deploy only the genuine WAR file in JBOSS ?

kindly provide your valuable suggestions.

Thanks in advance.


Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5830
    
    7

Perhaps signing the JAR file would do what you need
Abhishek Mhptr
Ranch Hand

Joined: Aug 09, 2009
Posts: 33
thank you so much for the post peter. got fair idea regarding jarsigner from the link.
it was very helpful.

i executed the following steps.

i signed a war file and depolyed in jboss. it got deployed without any issues.

After that i made some changes in the signed WAR file and
tried to deploy the updated WAR file in the JBoss.

while doing that i found the following error:


It means that JBOSS validates(verifies) the signature of the WAR file while depolying.

can anyone please tell me how JBOSS verifies it ?

can we make sure that WAR file with specific signature should only get deployed in JBOSS??

Thanks in advance.
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5830
    
    7

Didn't I answer this already? Can't seem to find the rest of this discussion...
Abhishek Mhptr
Ranch Hand

Joined: Aug 09, 2009
Posts: 33
you did reply peter (jboss.org)

thanks.
Abhishek Mhptr
Ranch Hand

Joined: Aug 09, 2009
Posts: 33
As JVM throws the security exception while the WAR file is getting deployed,

can we identify how and when JVM verifies the signature in JBOSS ?

Can we add some code(functionality) while verifying the WAR file,
so that WAR file with specific signature will only get deployed in JBOSS ?

kindly bail me out of this issue.

Thanks.
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5830
    
    7

Abhishek Mhptr wrote:can we identify how and when JVM verifies the signature in JBOSS ?

No. You code is in the WAR and thus cannot catch the exception - your code has not even started running, the JVM is still trying to open the WAR file.

Can we add some code(functionality) while verifying the WAR file,
so that WAR file with specific signature will only get deployed in JBOSS ?

You code can check that it is running on JBoss AS by checking for the presence of JBoss AS-specific files. I'm not sure if there is a way to ask the JVM to supply the signature information used to sign the WAR file.
Mark E Hansen
Ranch Hand

Joined: Apr 01, 2009
Posts: 643
I wonder if the OP is asking for a way to configure JBoss so it won't allow the deployment of an application unless it is properly signed. Like using a custom deployer MBean?
Abhishek Mhptr
Ranch Hand

Joined: Aug 09, 2009
Posts: 33
Yup. Exactly.

Can we add some code(outside the WAR) in JBOSS to check for specific signature ?

(configure JBOSS not to allow deployment unless it is signed by specific author)

Thanks.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: implementing secured jboss deployment