Chapter 4. Securing the Management Console


The default setting for Access-Control-Allow-Origin header for the JBoss A-MQ Management Console permits unrestricted sharing. To restrict access to the JBoss A-MQ Management Console, create an access management file which contains a list of the allowed origin URLs. To implement the restrictions, add a system property that references the access management file

4.1. Controlling Access to the Fuse Management Console

Create an access management file called access-management.xml in <installDir>/etc/. The access management file must contain <allow-origin> sections within a <cors> section. The <allow-origin> section can contain the origin URL provided by browsers with the Origin: header, or a wildcard specification with *. For example:
   <!-- Allow cross origin access from ... -->
   <!-- ... and all servers from with any protocol -->
   <!-- optionally allow access to web console from localhost -->
   <!-- Check for the proper origin on the server side, too -->
Add the following line to JBoss A-MQ config script ./bin/setenv, adding the path to the access management file.
export EXTRA_JAVA_OPTS='-Djolokia.policyLocation=file:etc/access-management.xml'
When the command ./bin/fuse is executed, the access management file is referenced and used to restrict access to the JBoss A-MQ Management Console.