Chapter 8. Securing the Management Console
Abstract
The default setting for
Access-Control-Allow-Origin header for the JBoss Fuse Management Console permits unrestricted sharing. To restrict access to the JBoss Fuse Management Console, create an access management file which contains a list of the allowed origin URLs. To implement the restrictions, add a system property that references the access management file
8.1. Controlling Access to the Fuse Management Console
Create an access management file called
access-management.xml in <installDir>/etc/. The access management file must contain <allow-origin> sections within a <cors> section. The <allow-origin> section can contain the origin URL provided by browsers with the Origin: header, or a wildcard specification with *. For example:
<cors> <!-- Allow cross origin access from www.jolokia.org ... --> <allow-origin>http://www.jolokia.org</allow-origin> <!-- ... and all servers from jmx4perl.org with any protocol --> <allow-origin>*://*.jmx4perl.org</allow-origin> <!-- optionally allow access to web console from localhost --> <allow-origin>http://localhost:8181/*</allow-origin> <!-- Check for the proper origin on the server side, too --> <strict-checking/> </cors>
Add the following line to JBoss Fuse config script
./bin/setenv, adding the path to the access management file.
export EXTRA_JAVA_OPTS='-Djolokia.policyLocation=file:etc/access-management.xml'
When the command
./bin/fuse is executed, the access management file is referenced and used to restrict access to the JBoss Fuse Management Console.
