JBoss Hardening -Password Protection for JMX Console and Web Console.

Document ID : KB000051246
Last Modified Date : 14/02/2018
Show Technical Document Details


On the root JBoss server page, the jmx-console and the Web Console are accessible to anyone on the network. These pages often contain content that administrators wish to keep from regular users. JBoss includes the ability to secure these pages by enabling the built-in security-constraint.


  1. Stop JBoss.
  2. Edit server/default/deploy/jmx-console.war/WEB-INF/web.xml and uncomment the security-constraint section so it looks like the following:

Figure 1

  • Edit server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml and uncomment the following line:
  • Figure 2

  • Edit server/default/conf/props/jmx-console-roles.properties.
    This file defines the roles of each user. By default, the above section defines the JBossAdmin role as an accessor to the JMX console.
    This file is formatted like the following:
  • Figure 3

  • Edit server/default/conf/props/jmx-console-users.properties.
    This file defines the users and passwords.
    This file is formatted like the following:
  • Figure 4

  • In server/default/conf/props/, create copies of jmx-console-users.properties and jmx-console-roles.properties and rename them web-console-users.properties and web-console-roles.properties respectively.
  • Navigate to server/default/deploymanagement/console-mgr.sar/web-console.war/WEB-INF and repeat steps 2 and 3 for jboss-web.xml and web.xml.
  • Edit server/default/conf/login-config.xml Locate the following lines and add "props/" before the web-console-*.properties filenames:

Figure 5

  • When modifying usernames and passwords, be sure to edit both files for either console:

    • JMX Console: server/default/conf/props/jmx-console-users.properties and jmx-console-roles.properties.
    • Web Console: server/default/conf/props/web-console-users.properties and web-console-roles.properties.

  • Restart JBoss and navigate to the JMX/Web Consoles. Verify that authentication is working.