2 Replies Latest reply on Aug 11, 2006 4:01 AM by pilhuhn

    Disabling or Securing the Tomcat Status page in the JMX-Cons

    scottlance

      Is there a way to Disable or Secure the Tomcat Status page in the JMX-Console. It contains sensitive data that we don't want outsiders that may happen upon the page to see.

      I've already secured the JMX Console link and the JBoss Web Console link but can't find any information on the Tomcat status page.


      Thanks in advance,

      Scott Lance
      Interchange Corp

        • 1. Re: Disabling or Securing the Tomcat Status page in the JMX-
          peterj

          You could edit the file server/xxx/deploy/jbossweb-tomcat55.sar/ROOT.war/index.html to remove the link. But someone could still access servlet if they know the URL. Another possibility is to edit the server/xxx/deploy/jbossweb-tomcat55.sar/ROOT.war/WEB-INF/web.xml file and remove the servlet and servlet-mapping entries.

          The other possibility is to secure the /status context by adding a security-constraint entry to the above web.xml file.

          • 2. Re: Disabling or Securing the Tomcat Status page in the JMX-
            pilhuhn

            Just completely throw out ROOT.war.

            Btw.: the web-console will - if not secured - also show you at least all mbeans with all attributes. This is hidden in the management/ folder.