-
Task
-
Resolution: Done
-
Blocker
-
EAP 5.0.0.CR4 (FCS and BETA2)
-
None
-
Release Notes
It seems the deploy/jmx-remoting.sar service that instantiates a jsr-160 adapter for remote access to the jboss mbeanserver for usage with tools such as the jconsole that comes with Sun's JDK, doesn't allow to secure this access.
So although, the service binds by default to localhost, in production environments where the server will bind to a specific address, then access through this jsr160 adapter becomes a security risk. In those case the adapter should be disabled by undeploying/moving the whole deploy/jmx-remoting.sar directory.