Friday, November 26, 2010

Create Java SSL certificate


1 Create the SSL key for your machine using Java's keytool program. When asked to specify your first and last name, use the name of the machine running the CAS Tomcat server. For example, on my machine, I used localhost:
                 keytool -genkey -alias tomcat -keypass mycertificate -keyalg RSA
2. You now have a keystore in the current user's home directory. Now you need to add the certificate to your JRE's cacerts file. Export the certificate you just generated:
                 keytool -export -alias tomcat -keypass mycertificate -file server.crt
3. Now, add the exported certificate (server.crt) to your JRE's cacerts file again using Java's keytool program, as follows:
                keytool -import -file server.crt -keypass mycertificate -keystore ..\jre\lib\security\cacerts
4. The last step in setting up SSL is to tell Tomcat about the keystore. Edit the server.xml file again. Modify the SSL connector definition with the lines           highlighted below. Note that the keystoreFile is the full path to the current user's home directory where the keystore resides:
                                <Connector port="8443" maxHttpHeaderSize="8192"
                                maxThreads="150" minSpareThreads="25"
                                maxSpareThreads="75"
                                enableLookups="false" disableUploadTimeout="true"
                                acceptCount="100" scheme="https" secure="true"
                                clientAuth="false" sslProtocol="TLS"
                                keystoreFile="/root/.keystore"
                                keystorePass="mycertificate"
                                truststoreFile="/usr/lib/jvm/java-1.5.0-sun/jre/lib/
                                security/cacerts" />

Thursday, November 25, 2010

Alfresco and CAS Integration


1.            You can set up CAS on separate tomcat or same tomcat running alfresco. you need to make couple of changes to tomcat's conf/server.xml file for separate tomcat regarding SSL/AJP/server port:
                                ...
                                <Server port="8006" shutdown="SHUTDOWN">
                                ...
                                <Connector port="8081" maxHttpHeaderSize="8192"
                                maxThreads="150" minSpareThreads="25"
                                maxSpareThreads="75"
                                enableLookups="false" redirectPort="8444"
                                acceptCount="100"
                                connectionTimeout="20000" disableUploadTimeout="tru
                                e" />
                                ...
                                <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
                                <Connector port="8443" maxHttpHeaderSize="8192"
                                maxThreads="150" minSpareThreads="25"
                                maxSpareThreads="75"
                                enableLookups="false" disableUploadTimeout="true"
                                acceptCount="100" scheme="https" secure="true"
                                clientAuth="false" sslProtocol="TLS"
                                ...
                                <!-- Define an AJP 1.3 Connector on port 8010 -->
                                <Connector port="8010"
                                enableLookups="false" redirectPort="8443"
                                protocol="AJP/1.3" />
                2. Start up new Tomcat instance. and it should run smoothly along with alfresco tomcat.
                3. Download the CAS server from JA-SIG at http://www.ja-sig.org/products/cas/.
                4. CAS-protected URL redirects, the browser to the CAS authentication page. For security reasons, the CAS URLs are protected with SSL. Creating the certificate and adding it to the JRE's keystore requires below steps.
                5. Use Java's keytool program to create the SSL key for your machine. When asked to specify your first and last name, use the name of the machine running the CAS Tomcat server. For example, I used localhost:
                 keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
                6. We have a keystore in the user's home directory. Now need to add the certificate to your JRE's cacerts file. Export the certificate generated:
                 keytool -export -alias tomcat -keypass changeit -file server.crt
                7. Adding the exported certificate (server.crt) to JRE's cacerts file, as follows:
                keytool -import -file server.crt -keypass changeit -keystore ..\jre\lib\security\cacerts
                8. The last step in setting up SSL is to tell Tomcat about the keystore. Edit the server.xml file again. :
                                <Connector port="8443" maxHttpHeaderSize="8192"
                                maxThreads="150" minSpareThreads="25"
                                maxSpareThreads="75"
                                enableLookups="false" disableUploadTimeout="true"
                                acceptCount="100" scheme="https" secure="true"
                                clientAuth="false" sslProtocol="TLS"
                                keystoreFile="/root/.keystore"
                                keystorePass="changeit"
                                truststoreFile="/usr/lib/jvm/java-1.5.0-sun/jre/lib/
                                security/cacerts" />
                9. Copy the CAS webapp WAR to the webapps directory of Tomcat instance. The          CAS webapp WAR is in the directory where you expanded CAS under "modules". The file is called cas-server-webapp-3.3.3.war.
                10. Start CAS Tomcat. CAS screen can be seen at https://[machine name]:8443/cas. Add the following entry to the Alfresco web.xml
                                <!-- cas client filter -->
                                <filter>
                                <filter-name>CAS Filter</filter-name>
                                <filter-class>
                                edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
                                <init-param>
                                                <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
                                                <param-value>https://localhost:8443/cas/login</param-value>
                                </init-param>
                                <init-param>
                                <param-name>
                                edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
                                <param-value>https://localhost:8443/cas/serviceValidate</param-value>
                                </init-param>
                                <init-param>
                                <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
                                <param-value>localhost:8080</param-value>
                                </init-param>
                                </filter>
                11.          Next, add the filter mapping.This will cause Tomcat to redirect the browser to the CAS login if anyone without a valid ticket attempts to run. For Alfresco, the                 URL pattern should be:
                                <filter-mapping>
                                <filter-name>CAS Filter</filter-name>
                                <url-pattern>/faces/*</url-pattern>
                                </filter-mapping>
                12.          Save the web.xml file. At this point, you could restart Alfresco Tomcat and open the web client and you'd be redirected to the CAS login page. But Alfresco                 doesn't yet know how to extract the credentials from CAS to use to start an Alfresco session. To do that, you have to write an AuthenticationFilter. Look at Alfresco Wiki at http://wiki.alfresco.com/wiki/Central_Authentication_Service_Configuration for same.
                13.          You need to tell Alfresco to use the new Authentication Filter in place of the out of the box Authentication Filter. Do that by editing web.xml and modifying               the Authentication Filter filter as follows:
                                <filter>
                                <filter-name>Authentication Filter</filter-name>
                                <!--
                                <filter-class>
                                org.alfresco.web.app.servlet.AuthenticationFilter
                                </filter-class>
                                -->
                                <filter-class>
                                com.someco.servlets.AuthenticationFilter</filter-class>
                                <init-param>
                                <param-name>cas.user.label</param-name>
                                <param-value>
                                edu.yale.its.tp.cas.client.filter.user</param-value>
                                </init-param>
                                </filter>
                15.          Start Alfresco. You should now be able to log in to Alfresco . Remember that at this point, CAS is still using its default adapter, which grants successful logins when the username and password match.

Thursday, September 02, 2010

Jsp Include Directive vs Action

Jsp Include directive
At JSP page translation phase, the content of the file mentioned in the include directive is included/added as it is, in the place where the directive is used. Then the total JSP page is translated into a java servlet class. The included file is a static resource like html or a JSP page. Generally JSP include directive is used to include header banners and footers content.

The JSP compilation process is that, the JSP page gets compiled only if that page has changed. If the change is only in the included file, the source JSP file will not be compiled and therefore the modification will not get reflected in the browser output.



Jsp Include action
The jsp:include action element works like a function call. At runtime, the included file will be compiled & executed and the resulted output is included with the source page. When the included JSP page is called, both the request and response objects are passed as parameters.

In case we need to pass any values to the included file, then jsp:param element can be used. If the resource is static, its content is inserted into the calling JSP file, since there is no processing needed.




Wednesday, September 01, 2010

Salman Khan's Dabangg 2010

Salman Khan's Dabangg is coming next week. And I was among all those die hard Salman fans who want to know what dabangg means. Well, Dabangg, or dabang, as it used to be spelled earlier, means someone who has a dabdaba, a control over a specific area and people there.

The word dabangg is generally used to address people who have good deal of control or influence over the other powerful people of the area. Hence, Dabangg also means Powerful.

Saturday, July 31, 2010

JBoss Performance Tuning

JBoss version EAP-4.3.0.GA_CP03
Configuration production 

Preface

This advice is primarily on how to tune and/or slim JBossAS. The two concepts are orthogonal in most cases. While reducing idle service threads through slimming won't have a large impact on performance, using less memory and resources may allow you to tune other performance aspects. Of course this does reduce startup time. Furthermore, as a general security concept -- remove services you don't use. We will separate the two categories: slimming and tuning. We start by using the production configuration and trimming from there.
Note for those concerned that this advice will make a technically non-J2EE-compliant instance of JBoss, as removing key J2EE services would cause JBoss to fail the TCK. Most performance tuning/administrative tasks done in real-world installations technically fall in this category.

  1. Tune the garbage collector

    • Set -Xms and -Xmx to the same value - This increase predictability by removing the most important sizing decision from the virtual machine.
    • Use server VM - The server JVM is better suited to longer running applications.
      To enable it simply set the -server option on the command line.
    • Turn off distributed gc - Set it to run every 30 minute at least
      -Dsun.rmi.dgc.client.gcInterval=1800000
      -Dsun.rmi.dgc.server.gcInterval=1800000
    • Turn on parallel gc - If you have multiple proessors you can do your garbage collection with multiple threads.
      Use the flag -XX:+UseParallelGC.
    • Don't choose an heap larger then 70% of your OS memory
    • Tune the Heap ratio - The heap ratio specifies how the amount of the total heap will be partitioned between the
      young and the tenured space. For example, setting -XX:NewRatio=3 means that the ratio between the
      young and tenured generation is 1:3
    • XX:+DisableExplicitGC turn's off explicit garbage collection from java code.
  2. Don't use Huge heaps, use a cluster More JVMs/smaller heaps can outperform fewer JVMs/Larger Heaps. So instead of huge heaps, use additional server nodes.
    Set up a JBoss cluster and balance work between nodes.

  3. For Disabling Development mode in JBoss Tomcat. Look for the code below in server/production/deploy/jboss-web.deployer/conf/web.xml


    • development - To disable on access checks for JSP pages compilation set this to false.
    • modificationTestInterval - If development has to be set to true for any reason (such as dynamic generation of JSPs), setting this to a high value will improve performance a lot.
    • checkInterval - If development is false and checkInterval is greater than zero, background compilations are enabled. checkInterval is the time in seconds between checks to see if a JSP page needs to be recompiled. Default is 0. 
    <servlet>
      <servlet-name>jsp</servlet-name>
      <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>

    Add the following parameters as required

    <init-param>
       <param-name>development</param-name>
       <param-value>false</param-value>
    </init-param>  

  4. Generic Database Connection Pool configuration Edit server/production/deploy/oracle-ds.xml
    <datasources>
       ....
    
    <!--pooling parameters-->
    <min-pool-size>5</min-pool-size>
    <max-pool-size>100</max-pool-size>
    <blocking-timeout-millis>5000</blocking-timeout-millis> 
    <idle-timeout-minutes>15</idle-timeout-minutes>
    <prepared-statement-cache-size>100</prepared-statement-cache-size>




    • : this is the number of prepared statements per connection to be kept open and reused in subsequent requests.
    • Disable the connection debugging
    • increase max size of pools to appropriate level

  5. Deployment Scanner - The deployment scanner scanning every 5 seconds eats up cycles especially on systems with a slow filesystem. Edit server/production/conf/jboss-service.xml. change the scan period to larger duration.
    <!-- An mbean for hot deployment/undeployment of archives. --> 
    <mbean code="org.jboss.deployment.scanner.URLDeploymentScanner" 
    name="jboss.deployment:type=DeploymentScanner,flavor=URL">
    ...
    
    
    <attribute name="ScanPeriod">5000</attribute>
    ...
    </mbean> 
  6. Lots of EJB requests ? switch to the PoolInvoker? open server/production/conf/standardjboss.xml and find the following fragment:

    <invoker-mbean>jboss:service=invoker,type=jrmp</invoker-mbean>

    On JBoss should find 4 occurrences of it: stateless-rmi-invoker, clustered-stateless-rmi-invoker, stateful-rmi-invoker,entity-rmi-invoker. Now replace this fragment for desired EJB types:

    <invoker-mbean>jboss:service=invoker,type=pooled</invoker-mbean>

  7. If you are using the Pooled Invoker then you may need to change the MaxPoolSize? attribute in pool configuration if required. Edit server/production/conf/jboss-service.xml

    <mbean code="org.jboss.invocation.pooled.server.PooledInvoker" 
    name="jboss:service=invoker,type=pooled"> 
    <attribute name="NumAcceptThreads">1</attribute>
    <attribute name="MaxPoolSize">300</attribute>
    <attribute name="ClientMaxPoolSize">300</attribute>
    <attribute name="SocketTimeout">60000</attribute>
    <attribute name="ServerBindAddress">${jboss.bind.address}</attribute>
    <attribute name="ServerBindPort">4445</attribute>
    <attribute name="ClientConnectAddress">${jboss.bind.address}</attribute>
    <attribute name="ClientConnectPort">0</attribute>
    <attribute name="EnableTcpNoDelay">false</attribute>
    <depends optional-attribute-name="TransactionManagerService">
    jboss:service=TransactionManager</depends>
    </mbean> 

  8. JBoss Logging

    * Enable the logging for file in production enviornment.
    * Disabled for console and the priority to be error.
  9. Tune the Operating System - Each operating system sets default tuning parameters differently. For Windows platforms, the default settings are usually sufficient. However, the UNIX and Linux operating systems usually need to be tuned appropriately.

    * Increase default socket send/receive buffer.
    * Optimize MTU.
    * Use Big Memory Pages.

Thursday, July 15, 2010

Debugging throug Ant

To add debug options to java command line:
 

-Xdebug -Xrunjdwp:transport=dt_socket,server=y,
suspend=n,address=9009



If  the java process runs and terminates itself, change suspend=y, so you  can have a chance to attach the remote debugger.

To add the same debug options to ant build.xml java task:
<target name="run">
 <java fork="on"
       failonerror="true"
       classpath="xxx"
       classname="xxx">
     <jvmarg line="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,
suspend=y,address=9009" />
     <arg line="--arg1 arg2 --arg3 arg4"/>
  </java>
</target>

<arg> and <jvmarg> take either line or value attribute, but value attributes are treated as one single argument that may contain spaces. So in our case line attribute is used to specify multiple arguments separated by spaces. If value attribute was used instead of line attribute, the debug options will not take effect.

Friday, July 09, 2010

Little Observation about tinyurl

The tinyurl service takes a long URL string (which can be a site address or a document available online) and  return back a permanent shortcut pointing the original source url. For example

http://google.com generates  http://tinyurl.com/2tx
or

http://mail.yahoo.com generates  http://tinyurl.com/6dg
or 
http://tinyurl.com/5zv5vm
or 
http://gilby.com generated http://tinyurl.com/1 

 
Now the question is, how the service creates a new shortcut for all those uncountable number of available? What algorithm is working behind? Is it compressed URL form? Or is it saved/stored in database?


A little logical observation can reveal the little "secrets" working behind.

Currently the first "obvious fact" is that the shortcut has always a fixed length. In fact, the effective length looks as if it is exactly six (last 6 characters) but it has started from single digit  and now it is generating all urls with six digit  until threshold for it is reached then it will move to 7 digits.

The second "obvious fact" is that the shortcut consists of only small-caps letters and the digits 0-9.

The above observations quickly lead to the conclusion that the number of all possible configurations of the second part of the shortcut string is bounded above by 366 = (26 letters + 10 digits)6. This number equals 2176782336 and is close to int primitive data type in java
.
Thus all one has to do is to generate a class that creates a incremental unique alphanumeric number and store the original url reference in db and show it whenever that particular tinyurl is invoked.

Easy Logic,Go implement it.

Thursday, July 08, 2010

Enabling plain text copy in fckeditor

Recently I came across a very weird scenario where I was required to use fckeditor  instead of normal html text area to allow user to format text typed by him.
This all lead to another problem that user can copy from anywhere and paste it in the editor area and when which allows special formatting and external images styles and other html, which affected the content rendering functionality.
So to control the user inputs we need to allow only plain text inputs inspite what ever user have copied to clipboard from other souce using Ctrl+C keystrokes.

I was moving from pillar to post to get this plain text functionality working, looking for plugins and any proper solution in forums.

Finallybu doing minor changes to configuration file (thanks to fckeditor developer for allowing easy configurations) of fckeditor i am able to get what i want.
Open the orginal configuration file that comes with editor and look for code

FCKConfig.ForcePasteAsPlainText    = false;
FCKConfig.Keystrokes = [
    [ CTRL + 65 /*A*/, true ],
    [ CTRL + 67 /*C*/, true ],
    [ CTRL + 70 /*F*/, true ],
    [ CTRL + 83 /*S*/, true ],
    [ CTRL + 84 /*T*/, true ],
    [ CTRL + 88 /*X*/, true ],
    [ CTRL + 86 /*V*/, 'Paste' ],
    [ CTRL + 45 /*INS*/, true ],
    [ SHIFT + 45 /*INS*/, 'Paste' ],
    [ CTRL + 88 /*X*/, 'Cut' ],
    [ SHIFT + 46 /*DEL*/, 'Cut' ],
    [ CTRL + 90 /*Z*/, 'Undo' ],
    [ CTRL + 89 /*Y*/, 'Redo' ],
    [ CTRL + SHIFT + 90 /*Z*/, 'Redo' ],
    [ CTRL + 76 /*L*/, 'Link' ],
    [ CTRL + 66 /*B*/, 'Bold' ],
    [ CTRL + 73 /*I*/, 'Italic' ],
    [ CTRL + 85 /*U*/, 'Underline' ],
    [ CTRL + SHIFT + 83 /*S*/, 'Save' ],
    [ CTRL + ALT + 13 /*ENTER*/, 'FitWindow' ],
    [ SHIFT + 32 /*SPACE*/, 'Nbsp' ]
] ;

Now open your custom configuration file (or create one http://docs.cksource.com/FCKeditor_2.x/Developers_Guide/Configuration_File)

FCKConfig.ForcePasteAsPlainText    = true ;
FCKConfig.Keystrokes = [
    [ CTRL + 65 /*A*/, true ],
    [ CTRL + 67 /*C*/, true ],
    [ CTRL + 70 /*F*/, true ],
    [ CTRL + 83 /*S*/, true ],
    [ CTRL + 84 /*T*/, true ],
    [ CTRL + 88 /*X*/, true ],
    [ CTRL + 86 /*V*/, 'PasteText' ],
    [ CTRL + 45 /*INS*/, true ],
    [ SHIFT + 45 /*INS*/, 'PasteText' ],
    [ CTRL + 88 /*X*/, 'Cut' ],
    [ SHIFT + 46 /*DEL*/, 'Cut' ],
    [ CTRL + 90 /*Z*/, 'Undo' ],
    [ CTRL + 89 /*Y*/, 'Redo' ],
    [ CTRL + SHIFT + 90 /*Z*/, 'Redo' ],
    [ CTRL + 76 /*L*/, 'Link' ],
    [ CTRL + 66 /*B*/, 'Bold' ],
    [ CTRL + 73 /*I*/, 'Italic' ],
    [ CTRL + 85 /*U*/, 'Underline' ],
    [ CTRL + SHIFT + 83 /*S*/, 'Save' ],
    [ CTRL + ALT + 13 /*ENTER*/, 'FitWindow' ],
    [ SHIFT + 32 /*SPACE*/, 'Nbsp' ]
] ;

Monday, June 28, 2010

JQuery hide/show menu item persistence

I was working on search filters. The needed functionality is to toggle the set of checkbox elements and persist the user selected options. I want to do all this at browser end...

Here is how i did it...

Below is a html code
<div>
   <a href="javascript:void(0);" id="xyz">Click here</a>
</div>

<div id="abc">
  <div>one</div>
  <div>two</div>
  <div>three</div>
</div>

The needed functionality is when user hide/show the div with id= "abc", then it should persist untill user closes the browser..
jQuery(function(){

   // on page load call 
    <portlet:namespace/>toggleCookie("abc");
     <portlet:namespace/>hideShow("abc");

       jQuery("#xyz").click(function(){
            <portlet:namespace/>toggleCookie("abc");
            <portlet:namespace/>hideShow("abc");
        });
});


function <portlet:namespace/>hideShow(objId){
        if (jQuery.cookie(objId) == null || jQuery.cookie(objId) == "hide") {
            jQuery("#"+objId).hide();
        }
        else {
            jQuery("#"+objId).show();
        }
    }

    function <portlet:namespace/>toggleCookie(objId){
        if(jQuery.cookie(objId) == null){
            jQuery.cookie(objId, "hide");
        }
        else if(jQuery.cookie(objId) == "hide"){
            jQuery.cookie(objId, "show");
        }
        else if(jQuery.cookie(objId) == "show"){
            jQuery.cookie(objId, "hide");
        }
    }






Saturday, March 20, 2010

Securing JBoss Web Console

The security setup is based on two pieces, the standard WEB-INF/web.xml servlet URI to role specification, and the WEB-INF/jboss-web.xml specification of the JAAS configuration which defines how authentication and role mapping is performed. To secure the Web Console using a username/password file - 
  1. Locate the web-console.war directory in JBoss. This will normally be in <JBOSS Install dir>/server/default/deploy/management/console-mgr.sar directory.  
  2. Edit <JBOSS Install dir>/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml and uncomment the following security-constraint block


    <!-- A security constraint that restricts access to the HTML JMX console
               to users with the role JBossAdmin. Edit the roles to what you want and
               uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
               secured access to the HTML JMX console. 
           -->
       <security-constraint>
         <web-resource-collection>
           <web-resource-name>HtmlAdaptor</web-resource-name>
           <description>An example security config that only allows users with the
             role JBossAdmin to access the HTML JMX console web application
           </description>
           <url-pattern>/*</url-pattern>
           <http-method>GET</http-method>
           <http-method>POST</http-method>
         </web-resource-collection>
         <auth-constraint>
           <role-name>JBossAdmin</role-name>
         </auth-constraint>
       </security-constraint>
       <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>JBoss JMX Console</realm-name>
       </login-config>
       <security-role>
          <role-name>JBossAdmin</role-name>
       </security-role>
  3. Edit the <JBOSS Install dir>/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-roles.properties and web-console-users.properties, and move those files to <JBOSS Install dir>/server/default/conf/props directory. and change the users and passwords to what you desire. The only change above should be to web-console-users.properties, i.e, set a password.
  4. Edit <JBOSS Install dir>/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml and uncomment the following security-domain block:-

    <jboss-web>
    <!-- Uncomment the security-domain to enable security. You will
               need to edit the htmladaptor login configuration to setup the
               login modules used to authentication users.
             -->
             <security-domain>java:/jaas/jmx-console</security-domain>
         </jboss-web>
  5.  The security-domain value of web-console maps is declared in the login-config.xml JAAS configuration file which defines how authentication and authorization is done. edit <JBOSS Install dir>/server/default/conf/login-config.xml Change the path to the web-console-users.properties and the web-console-roles.properties as follows (add props/ to the front of the path)
<module-option name="usersProperties">props/web-console-users.properties</module-option>
     <module-option name="rolesProperties">props/web-console-roles.properties</module-option>

    Securing JBoss jmx-console

    Both the jmx-console and web-console are standard servlet 2.3 deployments and can be secured using J2EE role based security. Both also have a skeleton setup to allow one to easily enable security using username/password/role mappings found in the jmx-console.war and web-console.war deployments in the corresponding WEB-INF/classes users.properties and roles.properties files.

    The security setup is based on two pieces, the standard WEB-INF/web.xml servlet URI to role specification, and the WEB-INF/jboss-web.xml specification of the JAAS configuration which defines how authentication and role mapping is performed.To secure the JMX Console using a username/password file:
    1. Locate the jmx-console.war directory. This will normally be in /server/default/deploy directory.
    2. Edit /server/default/deploy/jmx-console.war/WEB-INF/web.xml and uncomment the following security-constraint block


      A security constraint that restricts access to the HTML JMX console
      to users with the role JBossAdmin. Edit the roles to what you want and
      uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
      secured access to the HTML JMX console.
      <security-constraint>
           <web-resource-collection>
             <web-resource-name>HtmlAdaptor</web-resource-name>
             <description>An example security config that only allows users with the
               role JBossAdmin to access the HTML JMX console web application
             </description>
             <url-pattern>/*</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
             <role-name>JBossAdmin</role-name>
          </auth-constraint>
        </security-constraint>
          <login-config>
             <auth-method>BASIC</auth-method>
             <realm-name>JBoss JMX Console</realm-name>
          </login-config>
        <security-role>
          <role-name>JBossAdmin</role-name>
        </security-role> 
      
      
    3. Edit /server/default/conf/props/jmx-console-users.properties (version &gt;=4.0.2) and /server/default/conf/props/jmx-console-roles.properties (version &gt;=4.0.2) and change the users and passwords to what you desire. They will need the JBossAdmin role specified in the web.xml file to run the JMX Console. The only change above should be to jmx-console-users.properties, i.e, set a password.
    4. Edit /server/default/jmx-console.war/WEB-INF/jboss-web.xml and uncomment the following security-domain block:-
      <jboss-web>
               <!-- Uncomment the security-domain to enable security. You will
                 need to edit the htmladaptor login configuration to setup the
                 login modules used to authentication users.
               -->
               <security-domain>java:/jaas/jmx-console</security-domain>
            </jboss-web>




    The security-domain value of jmx-console maps is declared in the login-config.xml JAAS configuration file which defines how authentication and authorization is done.