[jboss-jira] [JBoss JIRA] Commented: (JBAS-4388) Place all management web applications, web invokers, etc under a common context root

Jeff Schnitzer (JIRA) jira-events at lists.jboss.org
Wed May 28 18:19:02 EDT 2008 

    [ http://jira.jboss.com/jira/browse/JBAS-4388?page=comments#action_12414706 ] 
            
Jeff Schnitzer commented on JBAS-4388:
--------------------------------------

JBPAPP-327 is not related to this issue.  JBPAPP-327 concerns security domains.  This issue concerns the web context root of current and future administrative services.

SecureTheInvokers does not resolve the issue.  Placing an authentication requirement on the invokers, console, etc does not prevent dictionary or brute force attacks, or abuse from leaked passwords or ex-employees.  In my experience, most major enterprise environments have policies that prohibit public access to administrative login interfaces.  All such interfaces are only accessible from the private network, requiring VPN access (usually with two-factor authentication) from remote sources.

> Place all management web applications, web invokers, etc under a common context root
> ------------------------------------------------------------------------------------
>
>                 Key: JBAS-4388
>                 URL: http://jira.jboss.com/jira/browse/JBAS-4388
>             Project: JBoss Application Server
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: JMX/Web Console
>            Reporter: Jeff Schnitzer
>         Assigned To: Clive Saldanha
>
> In any enterprise environment, administrative interfaces are blocked from the public even if they require a password; administrative interfaces can only be accessed through the internal network or a SSL-secured VPN.  This means the load balancer (or whatever) must block out all the possible management/invocation web apps:
> /jmx-console
> /web-console
> /invoker
> /jbossmq-httpil
> These paths sometimes change between JBoss versions without any significant announcement, plus services are occasionally added.  This could easily result in unsecured or poorly secured (basic auth) services exposed to the public.
> Please put all JBoss-provided webapps under a base context that can easily be blocked to the public:
> /jboss/jmx-console
> /jboss/web-console
> /jboss/invoker
> /jboss/jbossmq-httpil

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list