[jboss-dev-forums] [Design of Security on JBoss] - Re: AS 4.2.0 binding to localhost
mazz@jboss.com
do-not-reply at jboss.com
Sun Mar 4 23:25:08 EST 2007
Its the user's job to decide if allowing unsecured access to JMX Console is allowed under any circumstance - its not our job to deny such access without it being a configurable setting.
That said, we should at least spit out very loud warnings in the logs if we detect unsecured access outside of "localhost".
I think the solution to this is to:
log.warn("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
| log.warn("!!!!! WARNING !!!!!!");
| log.warn("! YOU ARE ALLOWING UNSECURED ACCESS TO JMX CONSOLE !");
| log.warn("! PLEASE SEE http://jboss.com/SecureJBoss FOR MORE INFO !");
| log.warn("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
At least you can't miss that when you start the server every time (assuming someone looks at the logs every now and then - which you would assume someone would before putting a JBossAS instance in production that is accessible to the world)
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4024968#4024968
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4024968
More information about the jboss-dev-forums
mailing list