This documentation relates to Bedework 3.7
If you are using a different version, please click on "Click for all versions" on the left side of the page and select the relevant version.

Page History

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

1. Locate the <security-constraint> element (around line 101) in the file
jboss-5.1.0.GA/server/default/deploy/jmx-console.war/WEB-INF/web.xml

<security-constraint>
   <web-resource-collection>
      <web-resource-name>HtmlAdaptor</web-resource-name>
      <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
     </description>
     <url-pattern>/*</url-pattern>
     <http-method>GET</http-method>
     <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
     <role-name>JBossAdmin</role-name>
  </auth-constraint>
</security-constraint>

...


To determine if your JBoss instance has been compromised, look in directory
jboss-5.1.0.GA/server/default/deploy/management/

If you see the directory
iesvc.war
then your instance has been infected.

The blog entry below has worm removal and detection information:
http://community.jboss.org/blogs/mjc/2011/10/20/statement-regarding-security-threat-to-jboss-application-server

...

3. Lastly, change the  JMX console password. In the Bedework quickstart configuration the userid and password are found in the file jboss-5.1.0.GA/server/default/conf/props/jmx-console-users.properties

If you followed the instructions to secure Bedework during your initial installation (see https://wiki.jasig.org/display/BWK37/BW+3.7+Securing+Bedework ), you may have already changed the JMX console password.

...

4. Note that it is not good practice to run any web service as a privileged user (e.g. "root"). Therefore, to minimizie your risk overall, you should run JBoss under an unprivileged account.