7.6. Disabling Authentication

It is also possible to disable authentication on specific services. All specified paths in the sections below are relative to $JBOSS_HOME.
Disabling Authentication for JMX Console:

To disable authentication for the JMX console, edit the following file and comment out the security-constraint section:

server/$CONFIG/deploy/jmx-console.war/WEB-INF/web.xml
The following fragment should be commented out:
<security-constraint>
    <web-resource-collection>
        <web-resource-name>HtmlAdaptor</web-resource-name>
        <description>An example security config that only allows
users with the
role JBossAdmin to access the HTML JMX console web application
        </description>
        <url-pattern>/*</url-pattern>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>JBossAdmin</role-name>
    </auth-constraint>
</security-constraint>

Disabling Authentication for Web Console:

To disable authentication for the Web console, edit the following file to comment out the security-constraint section:

server/$CONFIG/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
The following fragment should be commented out:
<security-constraint>
    <web-resource-collection>
        <web-resource-name>HtmlAdaptor</web-resource-name>
        <description>An example security config that only allows
users with the role JBossAdmin to access the HTML JMX console web application
        </description>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>JBossAdmin</role-name>
    </auth-constraint>
</security-constraint>

Disabling Authentication for HTTP Invoker:

To disable authentication for the http invoker, JNDIFactory, EJBInvokerServlet, and JMXInvokerServlet need to be removed from the security realm in the file:

server/$CONFIG/deploy/httpha-invoker.sar/invoker.war/WEB-INF/web.xml
For example, the security-constraint element should look as follows:
<security-constraint>
    <web-resource-collection>
        <web-resource-name>HttpInvokers</web-resource-name>
        <description>An example security config that only allows 
users with the role HttpInvoker to access the HTTP invoker servlets
        </description>
        <url-pattern>/restricted/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>HttpInvoker</role-name>
    </auth-constraint>
    </security-constraint>

Disabling Authentication for JMX Invoker:

To disable authentication for the JMX invoker, edit the following file to comment out the security interceptor passthrough:

server/$CONFIG/deploy/jmx-invoker-service.xml
Locate the mbean section with the class org.jboss.jmx.connector.invoker.InvokerAdaptorService. In that section comment out the line that relates to authenticated users:
<descriptors>
    <interceptors>
        <!-- Uncomment to require authenticated users -->
        <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
                    securityDomain="java:/jaas/jmx-console"/>
        <!-- Interceptor that deals with non-serializable results -->
        <interceptor code="org.jboss.jmx.connector.invoker.SerializableInterceptor"
                    policyClass="StripModelMBeanInfoPolicy"/>
    </interceptors>
</descriptors>

Warning

Disabling authentication results in full administrator level access to the JBoss installation. A user connecting to a server with authentication disabled is permitted to run any code they choose on the server.