Appendix A. Disabling Authentication
jboss-as
directory.
To disable authentication for the JMX console, edit the following file and comment out the security-constraint section:
server/$PROFILE/deploy/jmx-console.war/WEB-INF/web.xml
<security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint>
To disable authentication for the Web console, edit the following file to comment out the security-constraint section:
server/$PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
<security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint>
To disable authentication for the http invoker, JNDIFactory
, EJBInvokerServlet
, and JMXInvokerServlet
need to be removed from the security realm in the file:
server/$PROFILE/deploy/httpha-invoker.sar/invoker.war/WEB-INF/web.xml
<security-constraint> <web-resource-collection> <web-resource-name>HttpInvokers</web-resource-name> <description>An example security config that only allows users with the role HttpInvoker to access the HTTP invoker servlets </description> <url-pattern>/restricted/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>HttpInvoker</role-name> </auth-constraint> </security-constraint>
To disable authentication for the JMX invoker, edit the following file to comment out the security interceptor passthrough:
server/$PROFILE/deploy/jmx-invoker-service.xml
org.jboss.jmx.connector.invoker.InvokerAdaptorService
. In that section comment out the line that relates to authenticated users:
<descriptors> <interceptors> <!--Uncomment to require authenticated users--> <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/jmx-console"/> <!--Interceptor that deals with non-serializable results--> <interceptor code="org.jboss.jmx.connector.invoker.SerializableInterceptor" policyClass="StripModelMBeanInfoPolicy"/> </interceptors> </descriptors>
To disable authentication for the ProfileService
, edit the following file and comment out the contents of the serverProxyInterceptors
list:
deploy/profileservice-jboss-beans.xml
<bean class="org.jboss.aspects.security.AuthenticationInterceptor"> <constructor> <parameter> <value-factory bean="JNDIBasedSecurityManagement" method="getAuthenticationManager" parameter="jmx-console"/> </parameter> </constructor> </bean> <bean class="org.jboss.aspects.security.RoleBasedAuthorizationInterceptor"> <constructor> <parameter> <value-factory bean="JNDIBasedSecurityManagement" method="getAuthenticationManager" parameter="jmx-console"/> </parameter> <parameter> <value-factory bean="JNDIBasedSecurityManagement" method="getAuthenticationManager" parameter="jmx-console"/> </parameter> </constructor> </bean>
To disable authentication for JBossWS, edit the following file and comment out the security-constraint
:
deploy/jbossws.sar/jbossws-management.war/WEB-INF/web.xml
<security-constraint> <web-resource-collection> <web-resource-name>ContextServlet</web-resource-name> <description>An example security config that only allows users with the role 'friend' to access the JBossWS console web application </description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>friend</role-name> </auth-constraint> </security-constraint>