The MBean interface for Sun's adaptor includes something
for http security.
This isn't very secure.
I don't know how to configure it, I haven't investigated. :-(

I've considered writing a .ear with a JSP/SSL front-end
over our ejb adaptor to give a more secure approach.
I haven't got around to it yet.
My other motivation is to use this project to learn JSP :-)

Regards,
Adrian

Without a mechanism to secure the admin console, the entire application server is wide open to exploits. This is a pretty serious problem.

Is there no way of addressing this today, short of completely disabling the "Adaptor:name=html" MBean?

The mechanism Adrian was referring to is mentioned in the javadoc of Sun's HTTP Adaptor.

The HtmlAdaptorServer can perform user authentication. The add/remove user authentication info methods can be used to manage users and their corresponding authentication information. The HTML server uses the 'Basic Authentication Scheme' (as defined in RFC 1945, section 11.1) to authenticate clients connecting to the server.


public void addUserAuthenticationInfo(AuthInfo authinfo)
Adds the authentication information of the user to be authenticated by this server. In order to populate the list of users supported by this server, invoke this method for each user you want to add. If the user already exists, then update his authentication information.


And as he said, it isn't terribly secure, so I would still recommend it only to be used from within a firewall that blocks outsiders trying to get to port 8082.

I created a MBean which registers the SUM JmxHtmlAdaptor with security turned on.

You can find mine as a patch in sourceforg:

http://sourceforge.net/tracker/?func=detail&atid=376687&aid=533737&group_id=22866

--Marcus