How To Secure the RxServices Application

The RxServices web application is used to provide a Web Service API to the product. By default this application is unprotected and it allows for un-authenticated discovery and manipulation of the Web Services that are deployed. This also exposes the default Apache Axis application for managing web services.  As these URL's may allow an attacker to register, manipulate, or invoke Web Services this application should be secured when the product is deployed in Public or semi-public environments. 

Follow below steps to secure RxServerices a Rhythmyx web application:

1.  Edit the ~/AppServer/server/rx/deploy/RxServices.war/WEB-INF/web.xml file

 Append the following XML to the tail end of this file.

       <security-constraint>
         <web-resource-collection>
             <web-resource-name>HtmlAdaptor</web-resource-name>
             <description>Security constraint to restrict access to rxservices.</description>
             <url-pattern>/*</url-pattern>
          </web-resource-collection>

  <auth-constraint>
     <role-name>RxServicesAdmin</role-name>
   </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
   <realm-name>RX Web Services</realm-name>
</login-config>
<security-role>
   <role-name>RxServicesAdmin</role-name>
</security-role>

2. Edit the ~/AppServer/server/rx/deploy/RxServices.war/WEB-INF/jboss-web.xml file
      Update "jboss-web" node by adding <security-domain> node:

       <jboss-web>
          <class-loading>
          <loader-repository>percussion.com:loader=rxservices.war</loader-repository>
          </class-loading>
          <security-domain>java:/jaas/rx.services.policy</security-domain>
       </jboss-web>

3.  Edit the ~/AppServer/server/rx/config/login-config.xml file, append the following section to that file.

<application-policy name="rx.services.policy">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties">props/rx-services-users.properties</module-option>
<module-option name="rolesProperties">props/rx-services-roles.properties</module-option>
</login-module>
</authentication>
</application-policy> 

4.  Create the ~/AppServer/server/rx/config/props/rx-services-users.properties file.

Add following line:

admin=somepassword

 5.  Create the ~/AppServer/server/rx/config/props/rx-services-roles.properties file.

 admin=RxServicesAdmin

6. Remove following applications file:

  • ~/AppServer/server/rx/deploy/http-invoker.sar
  • ~/AppServer/server/rx/deploy/jmx-console.war
  • ~/AppServer/server/rx/deploy/management/console-mgr.sar

7. In ~/AppServer/server/rx/deploy/jboss-web.deployer/ROOT.war/WEB-INF/jboss-web.xml comment-out security-domain and depends node as shown below.
   <!--<security-domain>java:/jaas/jmx-console</security-domain>-->
  <!--<depends>jboss.admin:service=PluginManager</depends>-->

8. Save all updated files,clear below listed temporary files and restart the Rhythmyx server. 

  1. Delete file <Install Directory>/server_run_lock, if one exists
  2. Delete all <Install Directory>/dbg_.sys_CEHandler#.xml files
  3. Delete all directories starting with .sys(dot sys) : <Install Directory>/.sys_CEHandler*
  4. Delete all JBoss temporary files/folders under <Install Directory>/AppServer/server/rx/tmp/, <Install Directory>/AppServer/server/rx/tmp/ and <Install Directory>/AppServer/server/rx/data/ folders.
  5. Delete all server log files under <Install Directory>/AppServer/server/rx/log

9. Test the url : Access http://servername:9992/RxServices url.  When prompted for user name and password, supply the user name and password defined in the rx-service-users.properties file. admin and somepassword in the example above.  

For more information or to configure more advanced security options, please see the JBOSS Documentation