Bug 777801 (SOA-327) - jBPM security documentation update
Summary: jBPM security documentation update
Keywords:
Status: CLOSED NEXTRELEASE
Alias: SOA-327
Product: JBoss Enterprise SOA Platform 4
Classification: JBoss
Component: Documentation, JBPM - within SOA
Version: 4.2 Beta 1
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 4.2 CR3
Assignee: Joshua Wulf
QA Contact:
URL: http://jira.jboss.org/jira/browse/SOA...
Whiteboard:
Depends On: SOA-262 SOA-265 SOA-270
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-15 14:32 UTC by Mark Little
Modified: 2014-10-19 22:59 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-02-07 04:10:48 UTC
Type: Task

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 778897 0 high CLOSED Upload servlet path is not aligned with the GPD defaults 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker JBQA-1347 0 None None None Never
Red Hat Issue Tracker SOA-327 0 None None None Never

Internal Links: 778897

Description Mark Little 2008-01-15 14:32:03 UTC 
Affects: Documentation (Ref Guide, User Guide, etc.), Release Notes
Date of First Response: 2008-01-21 02:10:11
project_key: SOA

Document that we will have two jBPM war files: one secured (for production use) and one for development. The jBPM docs need updating as well as the release notes.
Comment 1 Mark Little 2008-01-15 14:37:26 UTC 
Link: Added: This issue depends SOA-265
Comment 2 Mark Little 2008-01-15 14:38:37 UTC 
Link: Added: This issue depends SOA-262
Comment 3 Len DiMaggio 2008-01-15 14:51:20 UTC 
Link: Added: This issue related SOA-299
Comment 4 Joshua Wulf 2008-01-21 07:10:11 UTC 
Do I have this right:

jboss-soa-p.4.2.0/jboss-as/server/all/deploy/jbpm.esb/jbpm-console.war
jboss-soa-p.4.2.0/jboss-as/server/production/deploy/jbpm.esb/jbpm-console.war

are both the secure war that should be used in production.

jboss-soa-p.4.2.0/jbpm-jpdl/deploy/jbpm-console.war

is the "insecure" war file to be used for development.

To switch from the default secured war a user should copy the currently deployed one from /server/production/deploy/jbpm-console.war to another folder as jbpm-console.war.secure (can they do this in place? i.e: can they simply rename the file like this) and copy in the jbpm-jpdl version.

Rinse, lather, and reverse to go from insecure to secure?
Comment 5 Joshua Wulf 2008-01-31 08:50:16 UTC 
Mike Brock's comment:


Two war files are shipped with the platform:

In the standalone version, we ship with the unsecured uploader console by default.  ie. the jBPM JPDL will be able to deploy processes, unless it's secured by copying the file in:
/tools/resources/jbpm-console-production.war to /server/default/deploy/jbpm.esb/jbpm-console.war.  They can change it back by copying: /tools/resources/jbpm-console-development.war to /server/default/deploy/jbpm.esb/jbpm-console.war.  The file must be overwritten.  You can not have two versions of the war in the deployment directory.

In the EAP version, by default, the all profile has the development version of the WAR, and the production profile has the production version.
Comment 6 Joshua Wulf 2008-01-31 10:43:55 UTC 
Text for jBPM guide and release notes:


Warning: The following is an important note relating to the security of your system.

Two jbpm-console.war files are shipped with the platform. One is a development version which allows unauthenticated access to deploy processes to the server, for use with a graphical process design tool such as JBoss Developer Studio while developing applications. The other is a production version which secures the console against remote deployment. You should not run your server in a production environment with the unsecured development version of jbpm-console.war deployed. Doing so poses a threat to the security of your server.

==Standalone version of JBoss Enterprise SOA Platform==

In the standalone version, we ship with the unsecured uploader console by default. Initially, your server is configured for development. The jBPM JPDL will be able to deploy processes. Before putting it into production you should secure the console.

Procedure 2.1. To secure the console in the standalone version

    *  Copy the file /tools/resources/jbpm-console-production.war to /server/default/deploy/jbpm.esb/jbpm-console.war.

Procedure 2.2. To enable remote deployment of processes in the standalone version

    *  Copy /tools/resources/jbpm-console-development.war to /server/default/deploy/jbpm.esb/jbpm-console.war.

In each case the file must be overwritten. You can not have two versions of the war in the deployment directory.

==Embedded JBoss Enterprise Application Platform version of JBoss Enterprise SOA Platform==

In the embedded JBoss Enterprise Application Platform version, the "all" profile has the development version of the war, and the "production" profile has the production version. By default your server is configured to operate in a secure mode. To enable it for development mode you need to run in the unsecured mode of operation.

Procedure 2.3. To secure the console in the embedded EAP version

    *   Start the server with no commandline parameters or with the parameter -c production

Procedure 2.4. To enable remote deployment of processes in the embedded EAP version

    *  Start the server using the parameter -c all

We do not recommend running the server on an unsecured network with the jbpm-console-development.war deployed or using the all profile without modification.
Comment 7 Len DiMaggio 2008-02-04 16:18:20 UTC 
Link: Added: This issue depends SOA-270
Comment 8 Len DiMaggio 2009-12-15 18:37:06 UTC 
Link: Added: This issue related SOA-1339
Note You need to log in before you can comment on or make changes to this bug.