We could address this by only allowing connections to jmx-console from localhost, or any other methods which require configuration on the user's end. At least we could have a chance to have something like this: ****** Before uncommenting this, see http://wiki.jboss.org/SecureJBoss ****** A smarter option would cause JBoss to refuse to listen on anything but localhost with an unsecured JMX console unless you pass the "--unsecure" option. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4024964#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...