[jboss-jira] [JBoss JIRA] Commented: (JBAS-4167) JMX Console not secured by default

Dimitris Andreadis (JIRA) jira-events at lists.jboss.org
Fri Mar 2 04:08:18 EST 2007 

    [ http://jira.jboss.com/jira/browse/JBAS-4167?page=comments#action_12354792 ] 
            
Dimitris Andreadis commented on JBAS-4167:
------------------------------------------

jboss-dev list discussion:

Dimitris:
I'm very much in favor of setting the default bind address to localhost, instead of 0.0.0.0. I think it's the best compromise between developer easy of use and addressing security concerns for a default installation.

Scott M Stark wrote:
> For whatever reason our long standing use of unsecured consoles is now
> being reported as a security hole. To address this, either we need to
> bind to localhost by default or secure the consoles with a user that has
> no access. The latter requires a post install change to add a valid role
> or remove the security settings. We can't go with a default admin/admin
> password.
>
> The localhost approach would allow testsuites to continue to work as
> they currently do and is probably the least intrusive change. Any other
> opinions or options? 

> JMX Console not secured by default
> ----------------------------------
>
>                 Key: JBAS-4167
>                 URL: http://jira.jboss.com/jira/browse/JBAS-4167
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>            Reporter: Ryan Campbell
>         Assigned To: Dimitris Andreadis
>
> The jmx and web consoles should be inaccessible to remote hosts by default upon installation. However, I just installed the alpha build and was able to access the jmx console remotely. Steps to reproduce
> ./run.sh -b $MYTESTIP
> Everything starts up correctly. However, I can access $MYTESTIP:8080/jmx-console from my browser without restriction

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list