7.3.2. Securing the HTTPInvoker

The HTTP Invoker is a service that provides HTTP and Remote Method Invocation (RMI) access for EJBs and the JNDI Naming service. Secure this service to prevent unauthorized access.

Procedure 7.2. Secure the HTTP Invoker

  1. Defining security constraints

    The server/$PROFILE/deploy/http-invoker.sar/invoker.war/WEB-INF/web.xml or server/$PROFILE/deploy/httpha-invoker.sar/invoker.war/WEB-INF/web.xml file (depending on your server profile) must define a JNDIFactory, EJBInvokerServlet, and JMXInvokerServlet in the security realm. This means that the security-constraint element should be similar to:
    <security-constraint>
       <web-resource-collection>
          <web-resource-name>HttpInvokers</web-resource-name>
          <description>An example security config that only allows users with the role HttpInvoker to access the HTTP invoker servlets
          </description>
          <url-pattern>/restricted/*</url-pattern>
          <url-pattern>/JNDIFactory/*</url-pattern>
          <url-pattern>/EJBInvokerServlet/*</url-pattern>
          <url-pattern>/JMXInvokerServlet/*</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
          <role-name>HttpInvoker</role-name>
       </auth-constraint>
    </security-constraint>
    
  2. Define an associated security domain

    Add the following to fragment to web.xml:
    <jboss-web>
       <security-domain>java:/jaas/jmx-console</security-domain>
    </jboss-web>
  3. Binding the jmx-invoker to localhost

    Note

    Binding the jmx-invoker to localhost is highly recommended for security, but makes it unavailable for use remotely.
    Edit server/$PROFILE/conf/jboss-service.xml such that the ServerAddress of the RMI/JRMP invoker is localhost, as shown in the following code snippet:
    <-- RMI/JRMP invoker -->
    <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
          name="jboss:service=invoker,type=jrmp">
       <attribute name="RMIObjectPort">4444</attribute>
       <attribute name="ServerAddress">localhost</attribute>
    ....
  4. Add the following lines to the server section of server/$PROFILE/deploy/jmx-invoker-service.xml:
    <-- A pooled invoker bound to localhost -->
    <mbean code="org.jboss.invocation.pooled.server.PooledInvoker"
             name="jboss:service=invoker,type=pooled,host=localhost">
       <attribute name="NumAcceptThreads">1</attribute>
       <attribute name="MaxPoolSize">300</attribute>
       <attribute name="ClientMaxPoolSize">300</attribute>
       <attribute name="SocketTimeout">60000</attribute>
       <attribute name="ServerBindAddress">localhost</attribute>
       <attribute name="ServerBindPort">4443</attribute>
       <attribute name="ClientConnectAddress">localhost</attribute>
       <attribute name="ClientConnectPort">0</attribute>
       <attribute name="ClientRetryCount">1</attribute>
       <attribute name="EnableTcpNoDelay">false</attribute>
       <depends optional-attribute-name="TransactionManagerService">jboss:service=TransactionManager</depends>
  5. In the <mbean code="org.jboss.invocation.jrmp.server.JRMPProxyFactory" section, change <depends optional-attribute-name="InvokerName"> to:
    <depends optional-attribute-name="InvokerName">
    jboss:service=invoker,type=pooled,host=localhost
    </depends>