[jboss-jira] [JBoss JIRA] Commented: (JBAS-4167) JMX Console not secured by default
[ http://jira.jboss.com/jira/browse/JBAS-4167?page=comments#action_12354792 ]
Dimitris Andreadis commented on JBAS-4167:
------------------------------------------
jboss-dev list discussion:
Dimitris:
I'm very much in favor of setting the default bind address to localhost, instead of
0.0.0.0. I think it's the best compromise between developer easy of use and addressing
security concerns for a default installation.
Scott M Stark wrote:
For whatever reason our long standing use of unsecured consoles is
now
being reported as a security hole. To address this, either we need to
bind to localhost by default or secure the consoles with a user that has
no access. The latter requires a post install change to add a valid role
or remove the security settings. We can't go with a default admin/admin
password.
The localhost approach would allow testsuites to continue to work as
they currently do and is probably the least intrusive change. Any other
opinions or options?
JMX Console not secured by default
----------------------------------
Key: JBAS-4167
URL: http://jira.jboss.com/jira/browse/JBAS-4167
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Reporter: Ryan Campbell
Assigned To: Dimitris Andreadis
The jmx and web consoles should be inaccessible to remote hosts by default upon
installation. However, I just installed the alpha build and was able to access the jmx
console remotely. Steps to reproduce
./run.sh -b $MYTESTIP
Everything starts up correctly. However, I can access $MYTESTIP:8080/jmx-console from my
browser without restriction
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira