Place all management web applications, web invokers, etc under a common context root ------------------------------------------------------------------------------------ Key: JBAS-4388 URL: http://jira.jboss.com/jira/browse/JBAS-4388 Project: JBoss Application Server Issue Type: Feature Request Security Level: Public (Everyone can see) Components: Web Console Reporter: Jeff Schnitzer Assigned To: Darran Lofthouse In any enterprise environment, administrative interfaces are blocked from the public even if they require a password; administrative interfaces can only be accessed through the internal network or a SSL-secured VPN. This means the load balancer (or whatever) must block out all the possible management/invocation web apps: /jmx-console /web-console /invoker /jbossmq-httpil These paths sometimes change between JBoss versions without any significant announcement, plus services are occasionally added. This could easily result in unsecured or poorly secured (basic auth) services exposed to the public. Please put all JBoss-provided webapps under a base context that can easily be blocked to the public: /jboss/jmx-console /jboss/web-console /jboss/invoker /jboss/jbossmq-httpil -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira