I could justify posting this in more then one forum but this seems the closest one

I inherited the following setup. It is going into production so minimal change is desired.

JBOSS3.0.0_tomcat_4.0.3

The embedded Tomcat is not used (doesn't start up)

The JBOSS has been "customised" and the people who did this did not document the changes they made to the various configuration files other than via emails exchanged before I arrived

Back end database Oracle

When I start jboss on its own I can point my browser at

http://localhost:8082/jmx-console

and get the agent view

I have been asked to enable password protection of this URL. So far I have failed to do so

There is no jmx-console.war

So what do I change, assuming the files are still there?

I installed a separate vanilla JBOSS and simply changing the web.xml file in the jmx-console.war file seemed to get me a long way but I don't have this option in the version I am using.

1) Is this process documented in the free documentation?
(We ordered some JBOSS books and I think a
subscription but it will take weeks to arrive)

2) If not what do I need to change to enable password protection or restrict access in other ways ( e.g restricting acces to a set of specified hostnames or urls)

3) Should this not be enabled by default as peopls here think this is a security weakness - anybody can see what our JBOSS is running - and I am inclined to agree with them