Jboss Help

Wednesday, July 10, 2013

Securing a JBoss Web Application

Below are the steps for Securing any Web App deployed on Jboss EAP 5.1 or AS 5.

Step1: Edit web.xml in your application

Edit the web.xml file in your webapp at the following location:

WEB-INF/web.xml

Edit your web.xml and put the following contents (generally towards the bottom of the file)

<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>myrole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Confidential</realm-name>
</login-config>
<security-role>
<role-name>myrole</role-name>
</security-role>

This is a way of telling the container to restrict all URLs to any user with the role ‘myrole‘.

Step 2: Create jboss-web.xml in your application

Edit or create the jboss-web.xml file in your webapp at the following location:

WEB-INF/jboss-web.xml

<!DOCTYPE jboss-web PUBLIC
"-//JBoss//DTD Web Application 5.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">

<jboss-web>
<security-domain>java:/jaas/"Myappname"</security-domain>
</jboss-web>

"Myappname" is Policy name that we are going to use further. Actually this tells JBOSS to use application Policy name 'Myappname' for this application.

Step 3: Create Application policy on JBoss server

We now need to define the application policy ‘Myappname‘ on JBoss server.

Edit the login-config.xml file in the JBoss server directory at the following location:

jboss/server/<profile>/conf/login-config.xml

Edit the contents of login-config.xml and add an application policy as follows:

<application-policy name="365black">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties">props/users.properties</module-option>
<module-option name="rolesProperties">props/roles.properties</module-option>
</login-module>
</authentication>
</application-policy>

This tells JBoss to user ‘UsersRolesLoginModule’ which uses property files to store users and roles.

Step 4: Create users on JBoss server

Now we create a new user with the role ‘myrole’.

Create a new User

Edit the users.properties file used by your application policy in Step 3:

jboss/server/<profile>/conf/props/users.properties

Add a line to create a new user as follows.

myuser=mypassword

Roles

Finally, we assign the role ‘myrole’ to the user ‘myuser’. Edit the following file

Create a new roleEdit the roles.properties file used by your application policy in Step 3.

jboss/server/<profile>/conf/props/roles.properties

Add a line to create a assign the role ‘myrole’ to ‘myuser’ as follows.

myuser=myrole

Test your settings

Restart the JBoss server and deploy your application. When you access your application, you should see a basic authentication popup

If your setup is correct, you should be able to login using ‘myuser’ and ‘mypassword’ as defined in the Step 4.

Here we have used BASIC authentication in this example, but we can also use other types as DIGEST, FORM or CLIENT-CERT.

Thanks!!

Tuesday, March 12, 2013

Jboss Web AJP NullPointerException

Hi all,

Recently we were having some issue with one application and getting below exceptions as below:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
15:44:21,728 ERROR [org.apache.coyote.ajp.AjpMessage] Cannot append null value
java.lang.NullPointerException
at org.apache.coyote.ajp.AjpMessage.appendString(AjpMessage.java:242)
at org.apache.coyote.ajp.AjpMessage.appendBytes(AjpMessage.java:178)
at org.apache.coyote.ajp.AjpAprProcessor.prepareResponse(AjpAprProcessor.java:975)
at org.apache.coyote.ajp.AjpAprProcessor.action(AjpAprProcessor.java:484)
at org.apache.coyote.Response.action(Response.java:186)
at org.apache.coyote.Response.sendHeaders(Response.java:386)
at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:333)
at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:299)
at org.apache.catalina.connector.Response.finishResponse(Response.java:495)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346)
at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:419)
at org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:403)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:2036)
at java.lang.Thread.run(Thread.java:662)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

After analysis, it seems there is some issue with header passing i.e. null header is getting passed resulting in above Exceptions. We have enabled some logging to confirm same as below.
However the NullPointerException here is actually expected behaviour when given a null header. If JBoss receives a message with a malformed header like this, it should throw an exception, so it is believed this issue is external and from the application and there may not be anything to fix here in JBoss itself, just in the application code.

Turn on the "RequestDumperValve" in the 'jbossweb.sar/server.xml' and inspect request for any unusual headers.
Check the web.xml from the application, and the deployer's web.xml, for any missing param-values.

After implementing the above, You will see the logs as below :

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

2013-03-11 15:50:01,696 INFO ] REQUEST URI =/~~QRUserExperience-1.0/getUrl/adasd224~~

2013-03-11 15:50:01,697 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] authType=null

2013-03-11 15:50:01,698 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] characterEncoding=null

2013-03-11 15:50:01,698 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] contentLength=-1

2013-03-11 15:50:01,698 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] contentType=null

2013-03-11 15:50:01,698 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] contextPath=/QRUserExperience-1.0

2013-03-11 15:50:01,699 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] cookie=NLSessionSnoauthmcd=6+5BtzKQNoCtHxI/nSR/x7SFBkhNfAkpDd1lCVXYzmaih8ykkBN8bd+8LWkWaAqsIXhN4HrENZFIsUzRABN+TirfPErpoGxRlrjCUrKuR3UhfalV9Ss0LgW+xBIyBlCU

2013-03-11 15:50:01,699 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] cookie=GlobalAS-SessionId=e8643a31-891c-4dbd-9e2e-e965ba2aab23

2013-03-11 15:50:01,699 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] cookie=UserLanguageCode=en

2013-03-11 15:50:01,701 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=host=q-dev.mcd.com

2013-03-11 15:50:01,701 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=user-agent=Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25

2013-03-11 15:50:01,701 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

2013-03-11 15:50:01,701 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=accept-language=en-us,en;q=0.5

2013-03-11 15:50:01,701 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=accept-encoding=gzip,deflate

2013-03-11 15:50:01,701 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=accept-charset=ISO-8859-1,utf-8;q=0.7,*;q=0.7

2013-03-11 15:50:01,701 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=Keep-Alive=115

2013-03-11 15:50:01,701 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=connection=keep-alive

2013-03-11 15:50:01,702 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=cookie=NLSessionSnoauthmcd=6+5BtzKQNoCtHxI/nSR/x7SFBkhNfAkpDd1lCVXYzmaih8ykkBN8bd+8LWkWaAqsIXhN4HrENZFIsUzRABN+TirfPErpoGxRlrjCUrKuR3UhfalV9Ss0LgW+xBIyBlCU; GlobalAS-SessionId=e8643a31-891c-4dbd-9e2e-e965ba2aab23; UserLanguageCode=en

2013-03-11 15:50:01,702 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] locale=en_US

2013-03-11 15:50:01,702 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] method=GET

2013-03-11 15:50:01,703 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] pathInfo=/adasd224

2013-03-11 15:50:01,703 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] protocol=HTTP/1.1

2013-03-11 15:50:01,703 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] queryString=null

2013-03-11 15:50:01,703 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] remoteAddr=192.8.220.34

2013-03-11 15:50:01,703 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] remoteHost=192.8.220.34

2013-03-11 15:50:01,703 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] remoteUser=null

2013-03-11 15:50:01,703 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] requestedSessionId=null

2013-03-11 15:50:01,703 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] scheme=https

2013-03-11 15:50:01,704 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] serverName=q-dev.mcd.com

2013-03-11 15:50:01,704 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] serverPort=443

2013-03-11 15:50:01,704 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] servletPath=/getUrl

2013-03-11 15:50:01,704 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] isSecure=true

2013-03-11 15:50:01,704 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] ---------------------------------------------------------------

2013-03-11 15:50:02,240 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] ---------------------------------------------------------------

2013-03-11 15:50:02,240 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] authType=null

2013-03-11 15:50:02,240 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] contentLength=-1

2013-03-11 15:50:02,240 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] contentType=null

2013-03-11 15:50:02,241 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=X-Powered-By=Servlet 2.5; JBoss-5.0/JBossWeb-2.1

2013-03-11 15:50:02,241 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=Location=null

2013-03-11 15:50:02,241 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] message=null

2013-03-11 15:50:02,241 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] remoteUser=null

2013-03-11 15:50:02,241 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] status=302

2013-03-11 15:50:02,241 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Thanks!!

Thursday, January 17, 2013

JBoss Application Server 7 Configurations

Standalone Server Configurations

standalone.xml (default)

Java Enterprise Edition 6 full profile certified configuration which includes the technologies required by the Full Profile specification plus others including OSGi

standalone-ha.xml

Java Enterprise Edition 6 certified full profile configuration with high availability

standalone-osgi-only.xml

OSGi only standalone server. No JEE6 capabilities

standalone-xts.xml

Standalone JEE6 full certified profile with support for transactional web services.

Domain Server Configurations

domain.xml (default)

Java Enterprise Edition 6 full profile certified configuration which includes the technologies required by the Full Profile specification plus others including OSGi

domain-osgi-only.xml

OSGi only server. No JEE6 capabilities

Important to note is that the domain and standalone modes determine how the servers are managed not what capabilities they provide.

Starting JBoss Application Server 7

To start AS 7 using the default full profile configuration in "standalone" mode, change directory to $JBOSS_HOME/bin.

./standalone.sh

To start the default full profile configuration using domain management capabilities,

./domain.sh

Starting JBoss Application Server 7 with an Alternate Configuration

If you choose to start your server with one of the other provided configurations, they can be accessed by passing the --server-config argument with the server-config file to be used.

To use the full profile with clustering capabilities, use the following syntax from $JBOSS_HOME/bin:

./standalone.sh
  --server-config=standalone-ha.xml

Similarly to run OSGi only server in domain mode:

./domain.sh
  --domain-config=domain-osgi-only.xml

Alternatively, you can create your own selecting the additional subsystems you want to add, remove, or modify.

Test Your Installation

After executing one of the above commands, you should see output similar to what's shown below.

========================================================================

JBoss Bootstrap Environment

JBOSS_HOME: /work/jboss-as-7.0.0.Final

JAVA: /usr/jdk1.6/bin/java

JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true

-Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000

-Djboss.modules.system.pkgs=org.jboss.byteman

=========================================================================

16:32:05,050 INFO [org.jboss.modules] JBoss Modules version 1.0.1.GA

16:32:05,379 INFO [org.jboss.msc] JBoss MSC version 1.0.0.GA

16:32:05,421 INFO [org.jboss.as] JBoss AS 7.0.0.Final "Lightning" starting

<snip>

16:32:07,578 INFO [org.jboss.as] (Controller Boot Thread) JBoss AS 7.0.0.Final "Lightning" started in 2804ms - Started 91 of 146 services (55 services are passive or on-demand)

As with previous JBoss releases, you can point your browser to http://localhost:8080 or http://IP:Port (if using the default configured http port) which brings you to the Welcome Screen:

From here you can access links to the AS 7 community documentation set, stay up-to-date on the latest project information, have a discussion in the user forum and access the newly designed web-based Administration Console. Or, if you uncover an issue while using AS 7, report an issue to inform us (attached patches will be reviewed). This landing page is recommended for convenient access to information about AS 7 but can easily be replaced with your own if desired.

Thanks!!

Getting Started with JBoss Application Server 7

JBoss Application Server 7 is the latest release in a series of JBoss application server offerings. JBoss Application Server 7, is a fast, powerful, implementation of the Java Enterprise Edition 6 specification. The state-of-the-art architecture built on the Modular Service Container enables services on-demand when your application requires them. JBoss Application Server 7.0.0.Final release is a certified implementation of the Java Enterprise Edition 6 Web Profile specification.

Installation

Simply extract your chosen download to the directory of your choice. You can install JBoss Application Server 7 on any operating system that supports the zip or tar formats. Refer to the Release Notes for additional information related to the release.

AS 7 - A Quick Tour

Now that you’ve downloaded JBoss Application Server 7, the next thing to discuss is the layout of the distribution and explore the server directory structure, key configuration files, log files, user deployments and so on. It’s worth familiarizing yourself with the layout so that you’ll be able to find your way around when it comes to deploying your own applications.

AS 7 Directory Structure

DIRECTORY	DESCRIPTION
bin	Start up scripts, start up configuration files and various command line utilities like Vault, add-user and Java diagnostic report available for Unix and Windows environments
bin/client	Contains a client jar for use by non-maven based clients.
bundles	Location of OSGi bundles
docs/schema	XML schema definition files
domain	Configuration files, deployment content, and writable areas used by the domain mode processes run from this installation.
modules	AS 7 is based on a modular classloading architecture. The various modules used in the server are stored here.
standalone	Configuration files, deployment content, and writable areas used by the single standalone server run from this installation.
appclient	Configuration files, deployment content, and writable areas used by the application client container run from this installation.
welcome-content	Default Welcome Page content

Standalone Directory Structure

In "standalone" mode each JBoss Application Server 7 instance is an independent process (similar to previous JBoss AS versions; e.g., 3, 4, 5, or 6). The configuration files, deployment content and writable areas used by the single standalone server run from a JBoss Application Server installation are found in the following subdirectories under the top level "standalone" directory:

DIRECTORY	DESCRIPTION
configuration	Configuration files for the standalone server that runs off of this installation. All configuration information for the running server is located here and is the single place for configuration modifications for the standalone server.
data	Persistent information written by the server to survive a restart of the server
deployments	End user deployment content can be placed in this directory for automatic detection and deployment of that content into the server's runtime. NOTE: The server's management API is recommended for installing deployment content. File system based deployment scanning capabilities remain for developer convenience.
lib/ext	Location for installed library jars referenced by applications using the Extension-List mechanism
log	standalone server log files
tmp	location for temporary files written by the server
tmp/auth	Special location used to exchange authentication tokens with local clients so they can confirm that they are local to the running AS process.

Domain Directory Structure

A key feature of AS 7 is the managing multiple servers from a single control point. A collection of multiple servers are referred to as a "domain". Domains can span multiple physical (or virtual) machines with all JBoss Application Server 7 instances on a given host under the control of a Host Controller process. The Host Controllers interact with the Domain Controller to control the lifecycle of the JBoss Application Server 7 instances running on that host and to assist the Domain Controller in managing them. The configuration files, deployment content and writeable areas used by domain mode processes run from a JBoss Application Server 7 installation are found in the following subdirectories under the top level "domain" directory:

DIRECTORY	DESCRIPTION
configuration	Configuration files for the domain and for the Host Controller and any servers running off of this installation. All configuration information for the servers managed wtihin the domain is located here and is the single place for configuration information.
content	an internal working area for the Host Controller that controls this installation. This is where it internally stores deployment content. This directory is not meant to be manipulated by end users. Note that "domain" mode does not support deploying content based on scanning a file system.
lib/ext	Location for installed library jars referenced by applications using the Extension-List mechanism
log	Location where the Host Controller process writes its logs. The Process Controller, a small lightweight process that actually spawns the other Host Controller process and any Application Server processes also writes a log here.
servers	Writable area used by each Application Server instance that runs from this installation. Each Application Server instance will have its own subdirectory, created when the server is first started. In each server's subdirectory there will be the following subdirectories: data -- information written by the server that needs to survive a restart of the server log -- the server's log files tmp -- location for temporary files written by the server
tmp	location for temporary files written by the server
tmp/auth	Special location used to exchange authentication tokens with local clients so they can confirm that they are local to the running AS process.

Thanks!!

Monnitor Datasource connections Information in JBOSS AS 7.0.1 using CLI

How to monitor DataSource statistics in Jboss 7 using CLI?

We can monitor DataSource statistics in JBOSS 7 using cli console as below :
Connect to CLI Console :

$cd $JBOSS_HOME/bin
$ ./jboss-cli.sh --controller=[mgmt_IP]:9999 -c
[standalone@mgmt_IP:9999 /]

[standalone@IP:9999 /] /subsystem=datasources/data-source=MySQLDS/statistics=pool:read-resource(include-runtime=true)

{

"outcome" => "success",

"result" => {

"ActiveCount" => "10",

"AvailableCount" => "99",

"AverageBlockingTime" => "0",

"AverageCreationTime" => "11",

"CreatedCount" => "140",

"DestroyedCount" => "130",

"MaxCreationTime" => "34",

"MaxUsedCount" => "2",

"MaxWaitTime" => "1",

"TimedOut" => "80",

"TotalBlockingTime" => "1",

"TotalCreationTime" => "1541"

}

To get some more detail about DataSource configuration details use below command:

[standalone@IP:9999 /] /subsystem=datasources/data-source=MySQLDS:read-resource(include-runtime=true)

{

"outcome" => "success",

"result" => {

"allocation-retry" => undefined,

"allocation-retry-wait-millis" => undefined,

"allow-multiple-users" => undefined,

"background-validation" => false,

"background-validation-millis" => undefined,

"blocking-timeout-wait-millis" => undefined,

"check-valid-connection-sql" => "select 1",

"connection-properties" => undefined,

"connection-url" => "jdbc:mysql://IP:PORT/DB",

"datasource-class" => undefined,

"driver-class" => "com.mysql.jdbc.Driver",

"driver-name" => "mysql",

"enabled" => true,

"exception-sorter-class-name" => undefined,

"exception-sorter-properties" => undefined,

"flush-strategy" => undefined,

"idle-timeout-minutes" => undefined,

"jndi-name" => "java:/MySQLDS",

"jta" => true,

"max-pool-size" => 100,

"min-pool-size" => 10,

"new-connection-sql" => undefined,

"password" => "Secret",

"pool-prefill" => true,

"pool-use-strict-min" => undefined,

"prepared-statements-cache-size" => undefined,

"query-timeout" => undefined,

"reauth-plugin-class-name" => undefined,

"reauth-plugin-properties" => undefined,

"security-domain" => undefined,

"set-tx-query-timeout" => false,

"share-prepared-statements" => false,

"spy" => false,

"stale-connection-checker-class-name" => undefined,

"stale-connection-checker-properties" => undefined,

"track-statements" => "NOWARN",

"transaction-isolation" => undefined,

"url-delimiter" => undefined,

"url-selector-strategy-class-name" => undefined,

"use-ccm" => true,

"use-fast-fail" => false,

"use-java-context" => true,

"use-try-lock" => undefined,

"user-name" => "gnia",

"valid-connection-checker-class-name" => undefined,

"valid-connection-checker-properties" => undefined,

"validate-on-match" => false,

"statistics" => {

"jdbc" => undefined,

"pool" => undefined

}

Thanks!!