[jboss-jira] [JBoss JIRA] Commented: (JBAS-4167) JMX Console not secured by default
Dimitris Andreadis (JIRA)
jira-events at lists.jboss.org
Fri Mar 2 04:08:18 EST 2007
[ http://jira.jboss.com/jira/browse/JBAS-4167?page=comments#action_12354792 ]
Dimitris Andreadis commented on JBAS-4167:
------------------------------------------
jboss-dev list discussion:
Dimitris:
I'm very much in favor of setting the default bind address to localhost, instead of 0.0.0.0. I think it's the best compromise between developer easy of use and addressing security concerns for a default installation.
Scott M Stark wrote:
> For whatever reason our long standing use of unsecured consoles is now
> being reported as a security hole. To address this, either we need to
> bind to localhost by default or secure the consoles with a user that has
> no access. The latter requires a post install change to add a valid role
> or remove the security settings. We can't go with a default admin/admin
> password.
>
> The localhost approach would allow testsuites to continue to work as
> they currently do and is probably the least intrusive change. Any other
> opinions or options?
> JMX Console not secured by default
> ----------------------------------
>
> Key: JBAS-4167
> URL: http://jira.jboss.com/jira/browse/JBAS-4167
> Project: JBoss Application Server
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Reporter: Ryan Campbell
> Assigned To: Dimitris Andreadis
>
> The jmx and web consoles should be inaccessible to remote hosts by default upon installation. However, I just installed the alpha build and was able to access the jmx console remotely. Steps to reproduce
> ./run.sh -b $MYTESTIP
> Everything starts up correctly. However, I can access $MYTESTIP:8080/jmx-console from my browser without restriction
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list