[jboss-dev-forums] [Design of Security on JBoss] - Re: AS 4.2.0 binding to localhost

[dimitris@jboss.org]

First of all, better don't make assumption about how users will react to the change. If jboss binds to 0.0.0.0 since year 1999 and now this has changed to localhost, I think this is already a big change and will at the very least make people wonder why's that. Release notes and blogging will help explain the problem, too.

Second, for the really naive users without any jboss knowledge that just unzip jboss, throw in a webapp, and they are done, or the case where a jboss server is installed by default and is just waiting there, unused, this measure offers some really basic but essential protection. Remember that we received negative comments about "remotely accessing a default jboss installation" and this is what we are fixing here.

>From the point where somone starts messing with command line parameters and configuration options he/she must assume responsibility for his/hers doings.

I agree we can assist a user to create a more secure environment, but this is done either in the installer, or some post installation script. Besides, there are many points you need to secure, not just the jmx-console.

In my understanding, if we lock up everying in the default developer-oriented .zip distro, we'll just manage to enrage developers. And don't forget that the .zip distro IS primarily made for developers.

In a production environment where you'll have to make quite a few configuration changes before installing/testing/fine-tuning a server, securing the server is really one of the standard items in your checklist.




View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4025187#4025187

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4025187