JBoss JMX management console
Description
JBoss Application Server ships with a JMX management console accessible by default at http://localhost:8080/jmx-console without authentication. This web-based administrative interface provides extensive control over the application server, including the ability to view JNDI trees, manage threads, deploy/undeploy applications, and shutdown the server. When left unsecured, this console is accessible to any user who can reach the server's network address, creating a critical security exposure.
Remediation
Secure the JMX console by implementing authentication and authorization controls. Edit the jmx-console.war/WEB-INF/web.xml file to uncomment the security-constraint section, then configure authorized users in jmx-console.war/WEB-INF/jboss-web.xml. Add authorized usernames and passwords to conf/props/jmx-console-users.properties and their roles to conf/props/jmx-console-roles.properties.
Example security-constraint in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>Alternatively, if the JMX console is not required, remove or undeploy the jmx-console.war application entirely. Additionally, restrict network access to the management interface using firewall rules to allow only trusted administrative IP addresses.