| Summary: | jBPM security documentation update | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise SOA Platform 4 | Reporter: | Mark Little <mark.little> |
| Component: | Documentation, JBPM - within SOA | Assignee: | Joshua Wulf <jwulf> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 4.2 Beta 1 | CC: | lcarlon |
| Target Milestone: | --- | ||
| Target Release: | 4.2 CR3 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | http://jira.jboss.org/jira/browse/SOA-327 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-02-07 04:10:48 UTC | Type: | Task |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 777747, 777750, 777754 | ||
| Bug Blocks: | |||
|
Description
Mark Little
2008-01-15 14:32:03 UTC
Link: Added: This issue depends SOA-265 Link: Added: This issue depends SOA-262 Link: Added: This issue related SOA-299 Do I have this right: jboss-soa-p.4.2.0/jboss-as/server/all/deploy/jbpm.esb/jbpm-console.war jboss-soa-p.4.2.0/jboss-as/server/production/deploy/jbpm.esb/jbpm-console.war are both the secure war that should be used in production. jboss-soa-p.4.2.0/jbpm-jpdl/deploy/jbpm-console.war is the "insecure" war file to be used for development. To switch from the default secured war a user should copy the currently deployed one from /server/production/deploy/jbpm-console.war to another folder as jbpm-console.war.secure (can they do this in place? i.e: can they simply rename the file like this) and copy in the jbpm-jpdl version. Rinse, lather, and reverse to go from insecure to secure? Mike Brock's comment: Two war files are shipped with the platform: In the standalone version, we ship with the unsecured uploader console by default. ie. the jBPM JPDL will be able to deploy processes, unless it's secured by copying the file in: /tools/resources/jbpm-console-production.war to /server/default/deploy/jbpm.esb/jbpm-console.war. They can change it back by copying: /tools/resources/jbpm-console-development.war to /server/default/deploy/jbpm.esb/jbpm-console.war. The file must be overwritten. You can not have two versions of the war in the deployment directory. In the EAP version, by default, the all profile has the development version of the WAR, and the production profile has the production version. Text for jBPM guide and release notes:
Warning: The following is an important note relating to the security of your system.
Two jbpm-console.war files are shipped with the platform. One is a development version which allows unauthenticated access to deploy processes to the server, for use with a graphical process design tool such as JBoss Developer Studio while developing applications. The other is a production version which secures the console against remote deployment. You should not run your server in a production environment with the unsecured development version of jbpm-console.war deployed. Doing so poses a threat to the security of your server.
==Standalone version of JBoss Enterprise SOA Platform==
In the standalone version, we ship with the unsecured uploader console by default. Initially, your server is configured for development. The jBPM JPDL will be able to deploy processes. Before putting it into production you should secure the console.
Procedure 2.1. To secure the console in the standalone version
* Copy the file /tools/resources/jbpm-console-production.war to /server/default/deploy/jbpm.esb/jbpm-console.war.
Procedure 2.2. To enable remote deployment of processes in the standalone version
* Copy /tools/resources/jbpm-console-development.war to /server/default/deploy/jbpm.esb/jbpm-console.war.
In each case the file must be overwritten. You can not have two versions of the war in the deployment directory.
==Embedded JBoss Enterprise Application Platform version of JBoss Enterprise SOA Platform==
In the embedded JBoss Enterprise Application Platform version, the "all" profile has the development version of the war, and the "production" profile has the production version. By default your server is configured to operate in a secure mode. To enable it for development mode you need to run in the unsecured mode of operation.
Procedure 2.3. To secure the console in the embedded EAP version
* Start the server with no commandline parameters or with the parameter -c production
Procedure 2.4. To enable remote deployment of processes in the embedded EAP version
* Start the server using the parameter -c all
We do not recommend running the server on an unsecured network with the jbpm-console-development.war deployed or using the all profile without modification.
Link: Added: This issue depends SOA-270 Link: Added: This issue related SOA-1339 |