Transcription
Proximetry AirSync Security PatchJBoss Incomplete Security ConstraintsVersion 1.0TR2080November 11, 20111
Copyright 2009-2011 Proximetry, Inc.ALL RIGHTS RESERVEDNotice: No part of this publication may be reproduced ortransmitted in any form or by any means, electronic ormechanical, including photocopying and recording, orstored in a database or retrieval system for any purposewithout the express written permission of Proximetry,Inc.Proximetry, Inc. reserves the right to make changes tothis document at any time without notice and assumesno responsibility for its use. Proximetry, Inc. products andservices can only be ordered under the terms andconditions of Proximetry Inc.’s applicable agreements.This document contains the most current informationavailable at the time of publication.Proximetry is a trademark of Proximetry, Inc., in the USAand other countries.Microsoft and Windows are registered trademarks ofMicrosoft Corporation. MySQL is a registered trademarkof MySQL AB. JBoss is a trademark of Mark Fleury. Java isa trademark of Sun Microsystems, Inc. Intel and Pentiumare registered trademarks of Intel Corporation. AMD is atrademark of Advanced Micro Devices, Inc.All other brand or product names are or may betrademarks or service marks of and are used to identifyproducts or services of their respective owners.2
Table of ContentsPREFACE . 4Intended Audience . 4Product Version . 4Document Revision Level . 4Document Conventions . 4JBOSS SECURITY CONSTRAINS UPDATE . 6JBoss Incomplete Security Constraints3
PrefaceThe JBoss Application Server is a component of the AirSync system. The securitysettings of JBoss have significant influence on the overall security of an AirSyncmanaged network. Recently it has come to light that the default securityconfiguration for the version of JBoss that is delivered with AirSync is incomplete.This document provides information how to update JBoss security constraints. A fulldescription of the problem can be found on Red Hat’s web site, under following tended AudienceThis document is intended for system administrators and/or network informationtechnology staff who are responsible for the AirSync system’s installation andmaintenance.Product VersionThe document corresponds to all AirSync versions from release 3.2 to 3.6.Document Revision LevelDateRevisionVersion 1.0November 2011DescriptionInitial versionDocument ConventionsThis guide uses the following typographic conventions:ConventionDescriptionBoldText on a window, other than the window title, including menus,menu options, buttons, and labels.ItalicVariable.screen/codeText displayed or entered on screen or at the command prompt.JBoss Incomplete Security Constraints4
boldface screen fontInformation you must enter is in boldface screen font. italic screen Variables appear in italic screen font between angle brackets.[]Default responses to system prompts are in square brackets.This guide uses icons to draw your attention to certain information. Warnings are themost critical.IconMeaningNoteTipDescriptionNotes call attention to important and/or additionalinformation.Tips provide helpful information, guidelines, or suggestionsfor performing tasks more effectively.CautionCautions notify the user of adverse conditions and/orconsequences (e.g., disruptive operations).WARNINGWarnings notify the user of severe conditions and/orconsequences (e.g., destructive operations).JBoss Incomplete Security Constraints5
JBoss Security Constraints UpdateWARNINGCautionUpdating JBoss Application Server security constrains is highlyrecommended.Instructions provided in this document assume that AirSyncserver is installed using default installation options in/home/airsync directory. In other case all instructions haveto be adjusted to existing installation.The JBoss security constraints configuration is located in the following o update JBoss complete the following steps:1. Stop AirSync services:/etc/init.d/airsync stop2. Open the web.xml configuration file using a text editor3. Find the following fragment: security-constraint web-resource-collection web-resource-name HtmlAdaptor /web-resource-name description An example security config that only allowsusers with the role JBossAdmin to access the HTML JMX console webapplication /description url-pattern /* /url-pattern http-method GET /http-method http-method POST /http-method /web-resource-collection auth-constraint role-name JBossAdmin /role-name /auth-constraint /security-constraint 4. Remove following lines:JBoss Incomplete Security Constraints6
http-method GET /http-method http-method POST /http-method 5. Save the updated web.xml configuration file6. Restart AirSync services:/etc/init.d/airsync startJBoss Incomplete Security Constraints7
Proximetry, Inc.Corporate Headquarters909 West Laurel Street, Suite 200San Diego, CA 92101JBossIncomplete Security ConstraintsU.S.APhone: 1 619 704 0020http://www.proximetry.com8
The security settings of JBoss have significant influence on the overall security of an AirSync managed network. Recently it has come to light that the default security configuration for the version of JBoss that is delivered with AirSync is incomplete. This document provides information how to update JBoss security constraints. A full
