"dimitris(a)jboss.org" wrote : First of all, better don't make assumption about how users will react to the change. If jboss binds to 0.0.0.0 since year 1999 and now this has changed to localhost, I think this is already a big change and will at the very least make people wonder why's that. Release notes and blogging will help explain the problem, too. We are both making assumptions about how users will react. The difference is you are being optimistic, and I am being pessimistic. I agree veteran users will notice a change, but they are likely not the source of our "problem." If the goal is to provide legalistic arguments that we are secure by default, the status quo is fine. If the goal is to reduce the perception that we are insecure, we won't make any progress with the existing solution. I completely agree it is the job of the deployer to secure the jmx-console and other vulnerable access points, but they are consistently not doing their jobs and we are getting the blame. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4025198#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...