Securing JBOSS JMX and Web


Install JBoss Application server 4.2 or EAP 4.2

Download from here. Install in the usual way. For the zip distribution simply unzip in a directory of your choice.
If you are installing JBoss Application Server you’ll end up having a directory called jboss-4.2.X.GA where X is the minor version of the server you’ve downloaded. Current latest version is 4.2.1.
If you are installing JBoss EAP 4.2 then you’ll probably have a directory called jboss-eap-4.2.
I will call $JBOSS_HOME “jboss-eap-4.2/jboss-as” or jboss-4.2.X.GA depending on the what you’ve installed.


Just  export HUDSON_HOME=<some dir> (UNIX) or set HUDSON_HOME=<some dir> (Windows) before starting JBoss Server.

Deploy hudson.war

Copy hudson war to “$JBOSS_HOME/server/<your server>/deploy”. <your server> will most probably be “default” but could be “production” if you have installed JBoss EAP and have more than 2G RAM.

Start JBoss Server

bin/ -b -c  <your server>
Important! If you need security, e.g will enable hudson security and have network connections to untrusted networks make sure to secure your jmx and web console before starting the server that way! JBoss EAP is secured by default but you should follow “getting started” instructions for the community release. Until you do, start the server with “-b” to be locally accessible only.

Access Hudson GUI

Open in a browser http://<machine name>:8080/hudson

Additional Configuration

JBoss startup

I would recommend setting at least 2 options when starting jboss as a container for hudson- “-Djava.awt.headless=true” and “-Xmx<some reasonable value>“.
The first one is even required for hudson if there is no X server available by an UNIX installation but will safe you from troubles anyways. More information about headless mode here.
Then setting maximum available memory for use by the server depends on jobs that will be executed as well hudson plug-ins that get used. We’ve hit out of memory issues with the junit report plug-in as it needs much memory to prepare big reports. Keep in mind that you will need to have enough memory to handle communications with slaves. And when getting OOM be sure to understand where does it come from – master or slave. To be able to handle the large number junit tests per job we’ve had to boost memory on both – master and slaves.

To pass these options you can set the environment variable JAVA_OPTS:

Linux: export JAVA_OPTS="$JAVA_OPTS -Djava.awt.headless=true -Xmx<some reasonable value>"

Windows: set JAVA_OPTS=%JAVA_OPTS% -Djava.awt.headless=true -Xmx<some reasonable value>

As well you can modify to avoid having that environment variable set for the child processes (jobs are one of them) you run. I use the following ugly bash script to avoid modifying that:


if [[ `dirname "$0"` != "." ]]; then
   cd `dirname "$0"` || exit 2
   exec $SHELL -- `basename "$0"` "$@"

JAVA_OPTS="$JAVA_OPTS -Djava.awt.headless=true $MAX_JAVA_MEM"
cd $JBOSS_HOME/bin
. -c default -b -u $MCAST_ADDR -g Hudson
) &> ~/hudson.log < /dev/null &

Make sure to have JBOSS_HOME and MAX_JAVA_MEM set.

Securing Hudson

Configure login when delegating auth to container


I’ll describe one easy way to do. It’s most suitable for local installations or where you have the jboss server hudson dedicated. You could ofcource implement whatever authentication mechanism you need. Refer to the JBoss manual pages for more information. User forums and mailing lists are the best place to get help.
First you’ll need to deploy hudson unarchived:

  • cd $JBOSS_HOME/server/<your server>/deploy/
  • mkdir hudson.war
  • unzip <path>/hudson.war
  • cd hudson.war/WEB-INF
  • create file jboss-web.xml containing:


Configure JBoss AS to do auth and secure

  • Most steps are already done when using the JBoss Enterprise Application Platform
  • cd  $JBOSS_HOME/server/<your server>/conf/props
  • add “hudson=admin” to
  • add “hudson=passwd” to
  • restart server
  • enable security
  • login as user “hudson” with password “passwd”

Secure jmx and web console:

  • edit $JBOSS_HOME/server/<your server>/conf/login-config.xml
    • uncomment “<application-policy name = “jmx-console”>” lines
    • uncomment “<application-policy name = “web-console”>” lines
  • edit $JBOSS_HOME/server/<your server>/deploy/jmx-console.war/WEB-INF/jboss-web.xml
    • uncomment <security-domain>
  • edit $JBOSS_HOME/server/<your server>/deploy/jmx-console.war/WEB-INF/web.xml
    • uncomment lines after “A security constraint that restricts access…”
  • edit $JBOSS_HOME/server/<your server>/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml
    • uncomment <security-domain>
  • edit $JBOSS_HOME/server/<your server>/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
    • uncomment lines after “A security constraint that restricts access…”

Secure jmx-invoker:

  • edit  $JBOSS_HOME/server/<your server>/deploy/jmx-invoker-service.xml
    • uncomment after “Uncomment to require authenticated users”

Secure HTTP-invoker:

  • edit  $JBOSS_HOME/server/<your server>/deploy/http-invoker.sar/invoker.war/WEB-INF/web.xml
    • find <web-resource-name>HttpInvokers</web-resource-name>
    • add additional <url-pattern> elements
      • <url-pattern>/JNDIFactory/*</url-pattern>
      • <url-pattern>/EJBInvokerServlet/*</url-pattern>
      • <url-pattern>/JMXInvokerServlet/*</url-pattern>

You did twice the same so now you might be able to setup a different security domain for your hudson installation and not “jmx-console” what  I suggest above (see creating jboss-web.xml). See links below for more.

Configure login redirect to SSL

First you need to configure a SSL connector. Please refer to which is a thorough resource if you cannot get it going with the commented out example configuration.
Then you need to have the following in hudson’s web.xml:


Hudson (JBoss) HTTP listening port

Edit $JBOSS_HOME/server/<your server>/deploy/jboss-web.deployer/server.xml and change `<Connector port=”8080″‘ to `<Connector port=”<some port>”‘.

Context root and Virtual host

If you want to have hudson on “/”  instead of “/hudson” by modifying jboss-web.xml.

<context-root>/</context-root> <!-- deploy to context root - not recommended - see below -->
<virtual-host></virtual-host> <!-- if you want a specific virtual host -->

You’d better leave it be deployed under “/hudson”, otherwise some locations get inaccessible. To have both – convenience and usability you can use a simple redirection. To do that create the following files under server deploy directory:


redirect.jsp should contain:


jboss-web.xml should contain:

    <!-- <virtual-host></virtual-host> -->

web.xml could be something like:

<?xml version="1.0" encoding="UTF-8"?>

<web-app xmlns="" xmlns:xsi=""
    xsi:schemaLocation="" version="2.4">

  <display-name>Redirecting to Hudson</display-name>
     Redirecting to Hudson.




Leave a Reply

Your email address will not be published. Required fields are marked *

To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Anti-spam image