Appendix A. Disabling Authentication

This appendix enables a user to disable authentication for specific services.
All specified paths in the sections below are relative to the jboss-as-web directory.
Disabling Authentication for JMX Console:
To disable authentication for the JMX console, edit the following file and comment out the security-constraint section: 
server/$PROFILE/deploy/jmx-console.war/WEB-INF/web.xml
Comment out the following <security-constraint> block: 
<security-constraint>
  <web-resource-collection>
    <web-resource-name>HtmlAdaptor</web-resource-name>
    <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application
    </description>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>JBossAdmin</role-name>
  </auth-constraint>
</security-constraint>
Disabling Authentication for Web Console:
To disable authentication for the Web console, edit the following file to comment out the <security-constraint> section: 
server/$PROFILE/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
Comment out the following <security-constraint> block: 
<security-constraint>
  <web-resource-collection>
    <web-resource-name>HtmlAdaptor</web-resource-name>
    <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application
    </description>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>JBossAdmin</role-name>
  </auth-constraint>
</security-constraint>
Disabling Authentication for HTTP Invoker:
To disable authentication for the http invoker, JNDIFactory, EJBInvokerServlet, and JMXInvokerServlet need to be removed from the security realm in the file: 
server/$PROFILE/deploy/httpha-invoker.sar/invoker.war/WEB-INF/web.xml
For example, the security-constraint element should look as follows: 
<security-constraint>
  <web-resource-collection>
    <web-resource-name>HttpInvokers</web-resource-name>
    <description>An example security config that only allows users with the role HttpInvoker to access the HTTP invoker servlets
    </description>
    <url-pattern>/restricted/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>HttpInvoker</role-name>
  </auth-constraint>
</security-constraint>
Disabling Authentication for JMX Invoker:
To disable authentication for the JMX invoker, edit the following file to comment out the security interceptor passthrough: 
server/$PROFILE/deploy/jmx-invoker-service.xml
Locate the mbean section with the class org.jboss.jmx.connector.invoker.InvokerAdaptorService. In that section comment out the line that relates to authenticated users:
Comment out the <interceptor> block that specifies the AuthenticationInterceptor module: 
<descriptors>
   <interceptors>
      <!--Uncomment to require authenticated users-->    
      <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
        securityDomain="java:/jaas/jmx-console"/>

      <!--Interceptor that deals with non-serializable results-->
      <interceptor code="org.jboss.jmx.connector.invoker.SerializableInterceptor"
        policyClass="StripModelMBeanInfoPolicy"/>
  </interceptors>
</descriptors>
Disabling Authentication for the ProfileService:
To disable authentication for the ProfileService, edit the following file and comment out the contents of the serverProxyInterceptors list: 
deploy/profileservice-jboss-beans.xml
Comment out the following <bean> block: 
<bean class="org.jboss.aspects.security.AuthenticationInterceptor">
  <constructor>
    <parameter>
      <value-factory bean="JNDIBasedSecurityManagement" method="getAuthenticationManager" parameter="jmx-console"/>
    </parameter>
  </constructor>
</bean>
<bean class="org.jboss.aspects.security.RoleBasedAuthorizationInterceptor">
  <constructor>
    <parameter>
      <value-factory bean="JNDIBasedSecurityManagement" method="getAuthenticationManager" parameter="jmx-console"/>
    </parameter>
    <parameter>
      <value-factory bean="JNDIBasedSecurityManagement" method="getAuthenticationManager" parameter="jmx-console"/>
    </parameter>
  </constructor>
</bean>
Disabling Authentication for JBossWS:
To disable authentication for JBossWS, edit the following file and comment out the <security-constraint>: 
deploy/jbossws.sar/jbossws-management.war/WEB-INF/web.xml
Comment out the following <security-constraint> block: 
<security-constraint>
  <web-resource-collection>
    <web-resource-name>ContextServlet</web-resource-name>
    <description>An example security config that only allows users with the role 'friend' to access the JBossWS console web application
    </description>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
      <role-name>friend</role-name>
  </auth-constraint>
</security-constraint>