In an effort to make JBoss more secure by default, the following issue was addressed in 4.2.0.CR1: http://jira.jboss.com/jira/browse/JBAS-4119 Now if you just type "run.sh", JBoss will default to binding to localhost. This decision was the result of a discussion on the jboss-dev list here: http://lists.jboss.org/pipermail/jboss-development/2007-February/006100.html Unfortunately, this will not do anything to improve out-of-the-box security. The user will just add the -b option and be on their way without any thought. There is nothing in adding the "-b" option that prompts the user to secure their JMX console or anything else. Scenario: 1. User types run.sh, tries to hit "myhost.com" 2. User scratches head, realizes JBoss now binds to localhost by default 3. User curses JBoss, uses ./run.sh -b myhost.com 4. User once again has unsecured JMX Console The problem is, the user is not forced to consider security. All we did was create an inconvenience. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4024962#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...