[jboss-dev-forums] [Design of Security on JBoss] - AS 4.2.0 binding to localhost
ryan.campbell@jboss.com
do-not-reply at jboss.com
Sun Mar 4 22:23:09 EST 2007
In an effort to make JBoss more secure by default, the following issue was addressed in 4.2.0.CR1:
http://jira.jboss.com/jira/browse/JBAS-4119
Now if you just type "run.sh", JBoss will default to binding to localhost. This decision was the result of a discussion on the jboss-dev list here:
http://lists.jboss.org/pipermail/jboss-development/2007-February/006100.html
Unfortunately, this will not do anything to improve out-of-the-box security. The user will just add the -b option and be on their way without any thought. There is nothing in adding the "-b" option that prompts the user to secure their JMX console or anything else. Scenario:
1. User types run.sh, tries to hit "myhost.com"
2. User scratches head, realizes JBoss now binds to localhost by default
3. User curses JBoss, uses ./run.sh -b myhost.com
4. User once again has unsecured JMX Console
The problem is, the user is not forced to consider security. All we did was create an inconvenience.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4024962#4024962
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4024962
More information about the jboss-dev-forums
mailing list