Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

implementing secured jboss deployment

 
Abhishek Mhptr
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

i need to make the Jboss environment(running in linux machine)secured,
which would make sure that unwanted data doesnt get deployed in JBoss.

if anyone tries to deploy some files in jboss,
it should ask for a security code or password.

The whole thing is to make the Jboss environment secured with some
security code or password.

kindly help me out in achieving this.


Thanks in advance.
 
Jaikiran Pai
Marshal
Pie
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
See this
 
Abhishek Mhptr
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thank you so much for the reply..

i went through the topics in the link.

but i couldn't find my answer.

will you please help me out in achieving the requirement???
 
Peter Johnson
author
Bartender
Posts: 5852
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Create an account in Linux, say "jboss", and give that account exclusive rights to JBOSS_HOME (set access right to 600 or 700). Use that account to run JBoss AS. Now only someone who knows the password to the "jboss" account can deploy anything.

It is also a good idea to also follow the security settings outlined in the link that Jaikiran posted so that could restrict access to the jmx console and other things which will let users get around the restrictions imposed by the "jboss" account.
 
Abhishek Mhptr
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thank you so much for the reply peter.

your post was absolutely helpful.

Now i have come across an unusual scenario for deploying a WAR file.
(this is just a change request. i am sorry if i am driving you people nuts)

we have a war file which will be given to the client for deploying in to the JBoss server.

if any intruder hacks the war in between and he changes its content before deploying,
the broken WAR file shouldn't get deployed.

The genuine WAR file should only get deployed in JBOSS.

how can we prevent deploying the broken WAR file?

how can we make sure to deploy only the genuine WAR file in JBOSS ?

kindly provide your valuable suggestions.

Thanks in advance.


 
Peter Johnson
author
Bartender
Posts: 5852
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Perhaps signing the JAR file would do what you need
 
Abhishek Mhptr
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thank you so much for the post peter. got fair idea regarding jarsigner from the link.
it was very helpful.

i executed the following steps.

i signed a war file and depolyed in jboss. it got deployed without any issues.

After that i made some changes in the signed WAR file and
tried to deploy the updated WAR file in the JBoss.

while doing that i found the following error:


It means that JBOSS validates(verifies) the signature of the WAR file while depolying.

can anyone please tell me how JBOSS verifies it ?

can we make sure that WAR file with specific signature should only get deployed in JBOSS??

Thanks in advance.
 
Peter Johnson
author
Bartender
Posts: 5852
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Didn't I answer this already? Can't seem to find the rest of this discussion...
 
Abhishek Mhptr
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
you did reply peter (jboss.org)

thanks.
 
Abhishek Mhptr
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As JVM throws the security exception while the WAR file is getting deployed,

can we identify how and when JVM verifies the signature in JBOSS ?

Can we add some code(functionality) while verifying the WAR file,
so that WAR file with specific signature will only get deployed in JBOSS ?

kindly bail me out of this issue.

Thanks.
 
Peter Johnson
author
Bartender
Posts: 5852
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Abhishek Mhptr wrote:can we identify how and when JVM verifies the signature in JBOSS ?

No. You code is in the WAR and thus cannot catch the exception - your code has not even started running, the JVM is still trying to open the WAR file.

Can we add some code(functionality) while verifying the WAR file,
so that WAR file with specific signature will only get deployed in JBOSS ?

You code can check that it is running on JBoss AS by checking for the presence of JBoss AS-specific files. I'm not sure if there is a way to ask the JVM to supply the signature information used to sign the WAR file.
 
Mark E Hansen
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I wonder if the OP is asking for a way to configure JBoss so it won't allow the deployment of an application unless it is properly signed. Like using a custom deployer MBean?
 
Abhishek Mhptr
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yup. Exactly.

Can we add some code(outside the WAR) in JBOSS to check for specific signature ?

(configure JBOSS not to allow deployment unless it is signed by specific author)

Thanks.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic