Hi,

JBoss AS6 provides admin-console, jmx-console and web-console for server monitoring and management purpose. By default the username and password for accessing these applications are “admin”, “admin”. But many times we want to create some more users who can login to these applications as a Read Only user so that these users will not have any privilege to make any configuration changes rather they can just do the monitoring part.

It is possible in JBoss AS6 to create read Only users fore jmx-console and web-console BUT Currently the admin-console application does not support read only users access so we CAN NOT create a read only user for “admin-console”. So in this demonstration we will see how we can create a Read Only (Monitor Role) in JBoss AS6 for web-console & jmx-console applications.

Step1). We need to edit the “$PROFILE/deploy/jmx-console.war/WEB-INF/web.xml” file by un-commenting the following section mentioned.

    <filter>
      <filter-name>JmxOpsAccessControlFilter</filter-name>
      <filter-class>org.jboss.jmx.adaptor.html.JMXOpsAccessControlFilter</filter-class>
      <init-param>
        <description>Comma-delimited Roles that define the JMX Operation denoting updation of Attributes</description>
        <param-name>updateAttributes</param-name>
        <param-value>UpdateAttributeRole</param-value>
      </init-param>
      <init-param>
        <description>Comma-delimited Roles that define the JMX Operation denoting Invocation of Operations</description>
        <param-name>invokeOp</param-name>
        <param-value>InvokeOpRole</param-value>
      </init-param>
   </filter>
   <filter-mapping>
      <filter-name>JmxOpsAccessControlFilter</filter-name>
      <servlet-name>HtmlAdaptor</servlet-name>
   </filter-mapping>

Step2). Now we need to edit the “$PROFILE/conf/props/jmx-console-roles.properties” like ollowing:
NOTE: to make read only role for “web-console” make the below mentioned changes inside “$PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-roles.properties” file.

# A sample roles.properties file for use with the UsersRolesLoginModule
admin=JBossAdmin,HttpInvoker,UpdateAttributeRole,InvokeOpRole
MyReadOnlyUserName=JBossAdmin

Here you can see that “MReadOnlyUserName” does not have the “UpdateAttributeRole,InvokeOpRole” roles means this user can not perform any update operation as well as this user can not perform any method Invocation operation from the console.

Step3). Similarly edit the “$PROFILE/conf/props/jmx-console-users.properties” like following :
NOTE: to make read only users for “web-console” make the below mentioned changes inside “$PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties” file.

# A sample users.properties file for use with the UsersRolesLoginModule
admin=admin
MyReadOnlyUserName=MyReadOnlyPassword

Step4). Setup is done so now you can restart your JBoss AS6 Profile and access in the jmx-console. Login as newly created user

username as MyReadOnlyUserName
password as MyReadOnlyPassword

You will receive a 403 error code “Access to the specified resource has been forbidden”, if you will try to make any configuration changes with this user credentials like changing the thread pool size…etc. But these changes you can easily make using the Non-Read only user credentials.

.
.
Thanks
Middleware Magic Team

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.