Its the user's job to decide if allowing unsecured access to JMX Console is allowed under any circumstance - its not our job to deny such access without it being a configurable setting. That said, we should at least spit out very loud warnings in the logs if we detect unsecured access outside of "localhost". I think the solution to this is to: log.warn("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); | log.warn("!!!!! WARNING !!!!!!"); | log.warn("! YOU ARE ALLOWING UNSECURED ACCESS TO JMX CONSOLE !"); | log.warn("! PLEASE SEE http://jboss.com/SecureJBoss FOR MORE INFO !"); | log.warn("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); At least you can't miss that when you start the server every time (assuming someone looks at the logs every now and then - which you would assume someone would before putting a JBossAS instance in production that is accessible to the world) View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4024968#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...