[jboss-jira] [JBoss JIRA] Commented: (JBAS-4388) Place all management web applications, web invokers, etc under a common context root

Clive Saldanha (JIRA) jira-events at lists.jboss.org
Wed May 28 17:54:54 EDT 2008 

    [ http://jira.jboss.com/jira/browse/JBAS-4388?page=comments#action_12414704 ] 
            
Clive Saldanha commented on JBAS-4388:
--------------------------------------

Some comments on this issue:

I found a JBPAPP Jira related to this issue - http://jira.jboss.com/jira/browse/JBPAPP-327 in which the proposal for having the same domain for the two consoles was rejected.

I have also found that there is a authentication interceptor org.jboss.jmx.connector.invoker.AuthenticationInterceptor
More information on the above at this link: [1] http://wiki.jboss.org/wiki/en/SecureTheInvokers

Using the information from the above wiki [1] the administrator can secure the various jboss apps/servlets.

> Place all management web applications, web invokers, etc under a common context root
> ------------------------------------------------------------------------------------
>
>                 Key: JBAS-4388
>                 URL: http://jira.jboss.com/jira/browse/JBAS-4388
>             Project: JBoss Application Server
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: JMX/Web Console
>            Reporter: Jeff Schnitzer
>         Assigned To: Clive Saldanha
>
> In any enterprise environment, administrative interfaces are blocked from the public even if they require a password; administrative interfaces can only be accessed through the internal network or a SSL-secured VPN.  This means the load balancer (or whatever) must block out all the possible management/invocation web apps:
> /jmx-console
> /web-console
> /invoker
> /jbossmq-httpil
> These paths sometimes change between JBoss versions without any significant announcement, plus services are occasionally added.  This could easily result in unsecured or poorly secured (basic auth) services exposed to the public.
> Please put all JBoss-provided webapps under a base context that can easily be blocked to the public:
> /jboss/jmx-console
> /jboss/web-console
> /jboss/invoker
> /jboss/jbossmq-httpil

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list