2005-12-08

After firewalls are in place, you're not done securing JBoss 3.2.6. At the least, passwords should be set on the jmx-console and web-console applications.

Go to $JBOSSHOME/server/yourconfig/deploy and take the following steps to secure the jmx-console application:

1. Edit jmx-console.war/WEB-INF/web.xml, search for the line with "security-constraint" and uncomment the block
   
2. Edit jmx-console.war/WEB-INF/jboss-web.xml and uncomment the line with "security-domain"
   
3. Edit jmx-console.war/WEB-INF/classes/jmx-console-users.properties and replace the second "admin" by your favorite password

Now do the same for the web-console application:

1. Edit management/web-console.war/WEB-INF/web.xml,
   search for the line with "security-constraint" and uncomment the block
   
2. Edit management/web-console.war/WEB-INF/jboss-web.xml
   and uncomment the line with "security-domain"
   
3. Edit management/web-console.war/WEB-INF/classes/web-console-users.properties and replace the second "admin" by your favorite password

Besides the above steps, you'll probably want to remove the status application, the HTTP invokers, maybe JMS, etc. An excellent book is O'Reilly's JBoss, A Developer's Notebook. Chapter 9 is freely available online, which walks you through the above steps and much more.

(Re)start JBoss and go get your brownie points from the system administrators!