Jboss 安全和优化
Jboss 安全和优化 一. Jboss后台启动: 添加后台修改命令: vi run.sh while true; do if [ "x$LAUNCH_JBOSS_IN_BACKGROUND" = "x" ]; then # Execute the JVM in the foreground nohup "$JAVA" $JAVA_OPTS \ -Djava.endorsed.dirs="$JBOSS_ENDORSED_DIRS" \ -classpath "$JBOSS_CLASSPATH" \ org.jboss.Main "$@" JBOSS_STATUS=$? else # Execute the JVM in the background "$JAVA" $JAVA_OPTS \ -Djava.endorsed.dirs="$JBOSS_ENDORSED_DIRS" \ -classpath "$JBOSS_CLASSPATH" \ org.jboss.Main "$@" & JBOSS_PID=$! # Trap common signals and relay them to the jboss process trap "kill -HUP $JBOSS_PID" HUP trap "kill -TERM $JBOSS_PID" INT trap "kill -QUIT $JBOSS_PID" QUIT trap "kill -PIPE $JBOSS_PID" PIPE trap "kill -TERM $JBOSS_PID" TERM # Wait until the background process exits WAIT_STATUS=0 while [ "$WAIT_STATUS" -ne 127 ]; do JBOSS_STATUS=$WAIT_STATUS wait $JBOSS_PID 2>/dev/null WAIT_STATUS=$? done fi # If restart doesn't work, check you are running JBossAS 4.0.4+ # http://jira.jboss.com/jira/browse/JBAS-2483 # or the following if you're running Red Hat 7.0 # http://developer.java.sun.com/developer/bugParade/bugs/4465334.html if [ $JBOSS_STATUS -eq 10 ]; then echo "Restarting JBoss..." else exit $JBOSS_STATUS fi done & 二. Jboss内存优化: 修改这个两参数,给jvm分配适当的内存,一般为服务器的3/4内存量,推荐至少使用4G内存。 另外添加两个参数 -XX:+UseParallelGC -XX:+UseParallelOldGC 这两个让服务并行回收内存空间。修改完成后,大致为 JAVA_OPTS = “-Xms4096m -Xmx8192m -XX:+UseParallelGC -XX:+UseParallelOldGC -Dsum…… 三. Jboss日志输出模式 [root@190MEM conf]# pwd /usr/local/jboss/server/default/conf [root@190MEM conf]# vi jboss-log4j.xml <appender name="FILE" class="org.jboss.logging.appender.DailyRollingFileAppender"> <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/> <param name="File" value="${jboss.server.log.dir}/server.log"/> <param name="Append" value="false"/> <param name="Threshold" value="ERROR"/> 四. Jboss数据库连接池优化 修改数据库连接池: <datasources> <local-tx-datasource> <jndi-name>training_master_db</jndi-name> <connection-url>jdbc:mysql://211.100.192.128:3306/dts?useUnicode=true&characterEncoding=UTF-8</connection-url> <driver-class>com.mysql.jdbc.Driver</driver-class> <user-name>root</user-name> <password></password> <min-pool-size>100</min-pool-size> <max-pool-size>500</max-pool-size> <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.MySQLExceptionSorter</exception-sorter-class-name> 五. Jboss部署目录优化: 去掉和应用无关的部署,加快jboss运行速度 bsh-deployer.xml client-deployer-service.xml ear-deployer.xml ejb-deployer.xml http-invoker.sar jboss-bean.deployer jboss-ws4ee.sar jms jsr88-service.xml schedule-manager-service.xml scheduler-service.xml sqlexception-service.xml uuid-key-generator.sar 六. Jboss应用安全加固: 去掉: Tomcat status (full) (XML) JMX Console JBoss Web Console 删除deploy下的jmx-console.war/ management/ [root@190MEM deploy]# pwd /usr/local/jboss/server/default/deploy [root@190MEM deploy]# ls jmx-console.war/ management/ jmx-console.war/: checkJNDI.jsp displayMBeans.jsp images inspectMBean.jsp META-INF WEB-INF cluster displayOpResult.jsp index.jsp jboss.css style_master.css management/: console-mgr.sar 一、 前言: Jboss默认安装以后,会默认打开http://127.0.0.1,显示如下: JBoss Online Resources • JBoss 4.0 documentation • JBoss Wiki • JBoss forums JBoss Management • Tomcat status (full) (XML) • JMX Console • JBoss Web Console Jmx Console和Jboss Web Console 里面可以修改和删除应用的参数,如果不加强安全设置,将会带来严重安全后果。 二、 关闭管理端口和相关统计信息: 1、 关闭jmx-console: 删除 /export/home/jboss-4.0.3SP1/server/default/deploy下目录jmx-console.war、management 2、 关闭web-console: 删除 /export/home/jboss-4.0.3SP1/server/default/deploy/jbossweb-tomcat55.sar下目录ROOT.war 3、 关闭status统计信息: 修改/export/home/jboss-4.0.3SP1/server/default/deploy/ROOT.war/WEB-INF/web.xml 屏蔽其中jboss的内容:粗体为添加屏蔽符号: <!--display-name>Welcome to JBoss </display-name> <description> Welcome to JBoss </description> <servlet> <servlet-name>Status Servlet </servlet-name> <servlet-class>org.jboss.web.tomcat.tc5.StatusServlet </servlet-class> </servlet--> <!--servlet-mapping> <servlet-name>Status Servlet </servlet-name> <url-pattern>/status </url-pattern> </servlet-mapping--> 4、 删除jboss主页相目录和文件: /export/home/jboss-4.0.3SP1/server/default/deploy/ROOT.war下:Manager/favicon.ico/jboss.css/jbossindex.html/logo.gif lion:/export/home/jboss-4.0.3SP1/server/default/deploy/ROOT.war # rm -rf manager favicon.ico jboss.css jbossindex.html logo.gif 5、 备注: 三、 关闭完成测试: 1、 http://127.0.0.1/jmx-console 2、 http://127.0.0.1/web-console 3、 http://127.0.0.1/jbossindex.html 4、 http://127.0.0.1/status 5、 测试结果: 测试人 时间 服务器 jmx-console web-console status jbossindex.html 测试 jboss默认配置了以下服务: • JMX Console • JBoss Web Console 为了安全起见,需要用户通过授权进行访问。 一、JMX安全配置 STEP 1: 找到%JBOSS_HOME%/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml文件,根据说明,去掉注释。 <jboss-web> <security-domain>java:/jaas/jmx-console</security-domain> </jboss-web> STEP 2: 与jboss-web.xml同级目录下还有一个文件web.xml,找到其中的节点,根据说明,取消注释。 <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> STEP 3: 在第一步中的jmx-console安全域和第二步中的运行角色JBossAdmin都是在login-config.xml中配置,我们在% <application-policy name = "jmx-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="usersProperties">props/jmx-console-users.properties</module-option> <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option> </login-module> </authentication> </application-policy> 文件props/jmx-console-users.properties定义了用户名、密码;props/jmx-console-roles.properties定义了用户所属角色 注: jmx-console-users.properties 格式是:用户名=密码明文 jmx-console-roles.properties 格式是:用户名=角色1,角色2,角色3 二、WEB-CONSOLE的安全配置 STEP 1: 找到%JBOSS_HOME%/server/default/deploy/ management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml文件,根据说明,去掉注释。 <jboss-web> <depends>jboss.admin:service=PluginManager</depends> </jboss-web> STEP 2: 与jboss-web.xml同级目录下还有一个文件web.xml,找到其中的节点,根据说明,取消注释。 <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> STEP 3: 在本目录的classes文件夹下找到web-console-users.properties和web-console-roles.properties两个文件更名为: <application-policy name = "web-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="usersProperties">users.properties</module-option> <module-option name="rolesProperties">roles.properties</module-option> </login-module> </authentication> </application-policy> 启动服务输入http://localhost:8080/ 然后分别点击JMX Console以及Jboss Web Console测试安全机制 user.properties和role.propertie并修改users.properties其中的用户名和密码修改%JBOSS_HOME%/server/default/conf/login-config.xml中web-console节点修改为以下: 到后自行修改或重新定义用户名、密码。JBOSS_HOME%/server/default/config下找到它。查找名字为:jmx-console的application-policy: http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole http://jira.jboss.com/jira/secure/attachment/12313981/index.html http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole http://jira.jboss.com/jira/secure/attachment/12313981/index.html