Monthly Archives: November 2011

Looking for JBoss Maven Repository?

JBoss has decommissioned their Maven 2 repository (about an year ago according to their site) which was available at http://repository.jboss.org/maven2. But many resources out there still refer to this repository, and many people face the following error when they try to use this repository.

Access denied to: http://repository.jboss.org/maven2

This is because JBoss has deactivated this repository and setup a 403 (HTTP Forbidden) error on this URL. After googling for a while, reading through JIRA entries etc., I found this page which pointed to a new repository from JBoss that contains most (if not all) of the artifacts from the previous one. The new repository URL is http://repository.jboss.org/nexus/content/groups/public-jboss/.

It could have been better if JBoss could have given a hint about this in their old repository URL, instead of sending a 403, which gives no clues.

In fact, as the URL indicates, this is a Nexus Maven Repository instance. You can access the Nexus Repository Manager from http://repository.jboss.org/nexus/ which lists all repositories hosted in it.

JBoss JMX Console Vulnerability – Standard Security Is Not Enough !

On 20th October 2011 JBoss released a Security Alert, informing about the existence of a worm which makes use of a security loophole in JBoss JMX Console to attack servers out there in the web. According to this notice, users running unsecured JMX consoles were vulnerable to this attack.

I’ve been running several JBoss Application Server instances exposed to the web, but I always ensure that JMX Console and other management features of JBoss are secured before exposing it to the web. I usually use the standard Username/Password login module for authentication for these JBoss services (I know it’s not very secure, but that was sufficient). Initially when I was setting this up, I referred to this article from JBoss : http://community.jboss.org/wiki/SecureTheJmxConsole [Note: Now it is updated to include the additional steps to protect against this threat].

According to the security alert, password protected JMX consoles were safe from this threat. Since it was password protected, I thought I was secure against this threat. I couldn’t have been more wrong, and I had to learn it the hard way.
Continue reading