Jboss 安全和优化
一. Jboss后台启动:
添加后台修改命令:
vi run.sh
while true; do
if [ "x$LAUNCH_JBOSS_IN_BACKGROUND" = "x" ]; then
# Execute the JVM in the foreground
nohup "$JAVA" $JAVA_OPTS
-Djava.endorsed.dirs="$JBOSS_ENDORSED_DIRS"
-classpath "$JBOSS_CLASSPATH"
org.jboss.Main "$@"
JBOSS_STATUS=$?
else
# Execute the JVM in the background
"$JAVA" $JAVA_OPTS
-Djava.endorsed.dirs="$JBOSS_ENDORSED_DIRS"
-classpath "$JBOSS_CLASSPATH"
org.jboss.Main "$@" &
JBOSS_PID=$!
# Trap common signals and relay them to the jboss process
trap "kill -HUP $JBOSS_PID" HUP
trap "kill -TERM $JBOSS_PID" INT
trap "kill -QUIT $JBOSS_PID" QUIT
trap "kill -PIPE $JBOSS_PID" PIPE
trap "kill -TERM $JBOSS_PID" TERM
# Wait until the background process exits
WAIT_STATUS=0
while [ "$WAIT_STATUS" -ne 127 ]; do
JBOSS_STATUS=$WAIT_STATUS
wait $JBOSS_PID 2>/dev/null
WAIT_STATUS=$?
done
fi
# If restart doesn't work, check you are running JBossAS 4.0.4+
# http://jira.jboss.com/jira/browse/JBAS-2483
# or the following if you're running Red Hat 7.0
# http://developer.java.sun.com/developer/bugParade/bugs/4465334.html
if [ $JBOSS_STATUS -eq 10 ]; then
echo "Restarting JBoss..."
else
exit $JBOSS_STATUS
fi
done &
二. Jboss内存优化:
修改这个两参数,给jvm分配适当的内存,一般为服务器的3/4内存量,推荐至少使用4G内存。
另外添加两个参数 -XX:+UseParallelGC -XX:+UseParallelOldGC 这两个让服务并行回收内存空间。修改完成后,大致为 JAVA_OPTS = “-Xms4096m -Xmx8192m -XX:+UseParallelGC -XX:+UseParallelOldGC -Dsum……
三. Jboss日志输出模式
[root@190MEM conf]# pwd
/usr/local/jboss/server/default/conf
[root@190MEM conf]# vi jboss-log4j.xml
<appender name="FILE" class="org.jboss.logging.appender.DailyRollingFileAppender">
<errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
<param name="File" value="${jboss.server.log.dir}/server.log"/>
<param name="Append" value="false"/>
<param name="Threshold" value="ERROR"/>
四. Jboss数据库连接池优化
修改数据库连接池:
<datasources>
<local-tx-datasource>
<jndi-name>training_master_db</jndi-name> <connection-url>jdbc:mysql://211.100.192.128:3306/dts?useUnicode=true&characterEncoding=UTF-8</connection-url>
<driver-class>com.mysql.jdbc.Driver</driver-class>
<user-name>root</user-name>
<password></password>
<min-pool-size>100</min-pool-size>
<max-pool-size>500</max-pool-size> <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.MySQLExceptionSorter</exception-sorter-class-name>
五. Jboss部署目录优化:
去掉和应用无关的部署,加快jboss运行速度
bsh-deployer.xml
client-deployer-service.xml
ear-deployer.xml
ejb-deployer.xml
http-invoker.sar
jboss-bean.deployer
jboss-ws4ee.sar
jms
jsr88-service.xml
schedule-manager-service.xml
scheduler-service.xml
sqlexception-service.xml
uuid-key-generator.sar
六. Jboss应用安全加固:
去掉:
Tomcat status (full) (XML)
JMX Console
JBoss Web Console
删除deploy下的jmx-console.war/ management/
[root@190MEM deploy]# pwd
/usr/local/jboss/server/default/deploy
[root@190MEM deploy]# ls jmx-console.war/ management/
jmx-console.war/:
checkJNDI.jsp displayMBeans.jsp images inspectMBean.jsp META-INF WEB-INF
cluster displayOpResult.jsp index.jsp jboss.css style_master.css
management/:
console-mgr.sar
一、 前言:
Jboss默认安装以后,会默认打开http://127.0.0.1,显示如下:
JBoss Online Resources
• JBoss 4.0 documentation
• JBoss Wiki
• JBoss forums
JBoss Management
• Tomcat status (full) (XML)
• JMX Console
• JBoss Web Console
Jmx Console和Jboss Web Console 里面可以修改和删除应用的参数,如果不加强安全设置,将会带来严重安全后果。
二、 关闭管理端口和相关统计信息:
1、 关闭jmx-console:
删除
/export/home/jboss-4.0.3SP1/server/default/deploy下目录jmx-console.war、management
2、 关闭web-console:
删除
/export/home/jboss-4.0.3SP1/server/default/deploy/jbossweb-tomcat55.sar下目录ROOT.war
3、 关闭status统计信息:
修改/export/home/jboss-4.0.3SP1/server/default/deploy/ROOT.war/WEB-INF/web.xml
屏蔽其中jboss的内容:粗体为添加屏蔽符号:
<!--display-name>Welcome to JBoss </display-name>
<description>
Welcome to JBoss
</description>
<servlet>
<servlet-name>Status Servlet </servlet-name>
<servlet-class>org.jboss.web.tomcat.tc5.StatusServlet </servlet-class>
</servlet-->
<!--servlet-mapping>
<servlet-name>Status Servlet </servlet-name>
<url-pattern>/status </url-pattern>
</servlet-mapping-->
4、 删除jboss主页相目录和文件:
/export/home/jboss-4.0.3SP1/server/default/deploy/ROOT.war下:Manager/favicon.ico/jboss.css/jbossindex.html/logo.gif
lion:/export/home/jboss-4.0.3SP1/server/default/deploy/ROOT.war # rm -rf manager favicon.ico jboss.css jbossindex.html logo.gif
5、 备注:
三、 关闭完成测试:
1、 http://127.0.0.1/jmx-console
2、 http://127.0.0.1/web-console
3、 http://127.0.0.1/jbossindex.html
4、 http://127.0.0.1/status
5、 测试结果:
测试人 时间
服务器 jmx-console web-console status jbossindex.html 测试
jboss默认配置了以下服务:
• JMX Console
• JBoss Web Console
为了安全起见,需要用户通过授权进行访问。
一、JMX安全配置
STEP 1:
找到%JBOSS_HOME%/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml文件,根据说明,去掉注释。
<jboss-web>
<security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>
STEP 2:
与jboss-web.xml同级目录下还有一个文件web.xml,找到其中的节点,根据说明,取消注释。
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
STEP 3:
在第一步中的jmx-console安全域和第二步中的运行角色JBossAdmin都是在login-config.xml中配置,我们在%
<application-policy name = "jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">props/jmx-console-users.properties</module-option>
<module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
文件props/jmx-console-users.properties定义了用户名、密码;props/jmx-console-roles.properties定义了用户所属角色
注:
jmx-console-users.properties 格式是:用户名=密码明文
jmx-console-roles.properties 格式是:用户名=角色1,角色2,角色3
二、WEB-CONSOLE的安全配置
STEP 1:
找到%JBOSS_HOME%/server/default/deploy/ management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml文件,根据说明,去掉注释。
<jboss-web>
<depends>jboss.admin:service=PluginManager</depends>
</jboss-web>
STEP 2:
与jboss-web.xml同级目录下还有一个文件web.xml,找到其中的节点,根据说明,取消注释。
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
STEP 3:
在本目录的classes文件夹下找到web-console-users.properties和web-console-roles.properties两个文件更名为:
<application-policy name = "web-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">users.properties</module-option>
<module-option name="rolesProperties">roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
启动服务输入http://localhost:8080/
然后分别点击JMX Console以及Jboss Web Console测试安全机制
user.properties和role.propertie并修改users.properties其中的用户名和密码修改%JBOSS_HOME%/server/default/conf/login-config.xml中web-console节点修改为以下:
到后自行修改或重新定义用户名、密码。JBOSS_HOME%/server/default/config下找到它。查找名字为:jmx-console的application-policy:
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole
http://jira.jboss.com/jira/secure/attachment/12313981/index.html
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole
http://jira.jboss.com/jira/secure/attachment/12313981/index.html