The point of the change was to not be the source of the unsecure, globally available access. We were getting security exploit postings over this issue. Logging a message is not effective either. Inconvience is the point. If your trying to access the server remotely, then you have to change something and the release notes document why localhost is the default. It was argued that it would be more inconvient to completely disallow access to the jmx console by configuring it to only configure users without valid permissions to access the consoles. The argument for localhost was that testsuites would not be broken, as well as allowing the typical localhost deployments used by developers. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4024969#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...