-
1. Re: web-console authentification
juhalindfors Sep 2, 2003 3:31 AM (in response to raphael)> why is it that neither the web-console (nor the
> jmx-console) are
> behind a username/password authentification and thus
> a JBoss
> appserver is open for beeing managed (attacked) from
> outside
> by default? Would'nt it be better to have it the
> other way around?
Yes.
>
> How can I secure the web-console? I did it for the
> jmx-console
> but since the web-console comes in a single war file
> it's a little
> bit more work (which I would have to do for a list of
> JBoss servers
> in our environment). Is there an easier way than
> unpacking,
> securing and repacking it?
No. Plus you need to secure the applet separately from the servlets. Sacha was hacking this a while back but I don't know if he ever came to an adequate solution.
-- juha -
2. Re: web-console authentification
gregorypierce Nov 17, 2003 12:31 PM (in response to raphael)Anyone come up with a solution for this? It would be odd for a "production ready" JBoss application server to be remotely exploitable just by installing it.
-
3. Re: web-console authentification
juha Nov 19, 2003 4:24 AM (in response to raphael)?
All distros are open in several ways, if you don't want the web-console, just remove the WAR.
-- Juha