Chapter 4. Securing the Management Console

Abstract

The default setting for Access-Control-Allow-Origin header for the JBoss A-MQ Management Console permits unrestricted sharing. To restrict access to the JBoss A-MQ Management Console, create an access management file which contains a list of the allowed origin URLs. To implement the restrictions, add a system property that references the access management file

4.1. Controlling Access to the Fuse Management Console

Create an access management file called access-management.xml in <installDir>/etc/. The access management file must contain <allow-origin> sections within a <cors> section. The <allow-origin> section can contain the origin URL provided by browsers with the Origin: header, or a wildcard specification with *. For example: 
<cors>
   <!-- Allow cross origin access from www.jolokia.org ... -->
   <allow-origin>http://www.jolokia.org</allow-origin>
   <!-- ... and all servers from jmx4perl.org with any protocol -->
   <allow-origin>*://*.jmx4perl.org</allow-origin>
   <!-- optionally allow access to web console from localhost -->
   <allow-origin>http://localhost:8181/*</allow-origin>
   <!-- Check for the proper origin on the server side, too -->
   <strict-checking/>
</cors>
Add the following line to JBoss A-MQ config script ./bin/setenv, adding the path to the access management file. 
export EXTRA_JAVA_OPTS='-Djolokia.policyLocation=file:etc/access-management.xml'
When the command ./bin/fuse is executed, the access management file is referenced and used to restrict access to the JBoss A-MQ Management Console.