How to configure secure JMX console access?

Hi,

I am looking on how to best describe the access to a JMX administration page like http://localhost:8080/jmx-console for JBoss in a secure way.

Here, Java EE's security model plays in. For JBoss it's clear to me but I wonder whether there is a more general approach in Java EE.

Any hints?

Regards,
Darya
[ July 27, 2007: Message edited by: Darya Akbari ]

Are you asking how to secure a web application (the JMX-console) or how JMX security works?

I mean securing the JMX console access.

I think most of the security task here is vendor dependent. The only non vendor dependent part I can see is in the web.xml deployment descriptor, see the code snippet below:

<security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>my:jmxconsole</role-name>
     </auth-constraint>
   </security-constraint>
 
   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>JBoss JMX Console</realm-name>
   </login-config>
 
   <security-role>
      <role-name>my:jmxconsole</role-name>
   </security-role>

Here I want plug my own security domain and use my own security role my:jmxconsole

Regards,
Darya
[ July 27, 2007: Message edited by: Darya Akbari ]

So you are asking about securing a web application. Well since this is a more general "how web apps work" type of question so I'll move you over to a more appropriate forum, see if that generates some discussion.

Originally posted by Darya Akbari:
I think most of the security task here is vendor dependent. The only non vendor dependent part I can see is in the web.xml deployment descriptor, see the code snippet below:

 <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>my:jmxconsole</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>JBoss JMX Console</realm-name> </login-config> <security-role> <role-name>my:jmxconsole</role-name> </security-role>

Here I want plug my own security domain and use my own security role my:jmxconsole

Regards,
Darya

[ July 27, 2007: Message edited by: Darya Akbari ]

I agree.
I'm going to move this again.
This time to our JBoss forum where you find help in setting up SSL on that server.

Well for JBoss I know the answer

. Maybe we should go back with this post

.