[jboss-dev-forums] [Design of Security on JBoss] - Re: AS 4.2.0 binding to localhost
ryan.campbell@jboss.com
do-not-reply at jboss.com
Mon Mar 5 16:01:29 EST 2007
"dimitris at jboss.org" wrote : First of all, better don't make assumption about how users will react to the change. If jboss binds to 0.0.0.0 since year 1999 and now this has changed to localhost, I think this is already a big change and will at the very least make people wonder why's that. Release notes and blogging will help explain the problem, too.
We are both making assumptions about how users will react. The difference is you are being optimistic, and I am being pessimistic. I agree veteran users will notice a change, but they are likely not the source of our "problem."
If the goal is to provide legalistic arguments that we are secure by default, the status quo is fine. If the goal is to reduce the perception that we are insecure, we won't make any progress with the existing solution.
I completely agree it is the job of the deployer to secure the jmx-console and other vulnerable access points, but they are consistently not doing their jobs and we are getting the blame.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4025198#4025198
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4025198
More information about the jboss-dev-forums
mailing list