Usually security teams are concerned when server applications open ports that are accessible from other PCs. With JBoss AS 4.2.x, it opens ports but binds to localhost. Thus only users on the same desktop PC have access to the app server.

If you are running a 4.0.x version, you can always bind to localhost by running as:

./run.sh -b 127.0.0.1

If this issue of accessible ports is not what concerns the security team, I would be interested in knowing what the issue is.

I do not see how a worm could propagate through the JBoss app servers if those app server are not opening ports accessible by remote hosts. You cannot get at the app server if it does not provide you with an opening. By binding to localhost, the app server could be considered just another desktop application. Heck, any application can send traffic out to the network, that's what outbound firewalls are for (and why Windows Firewall is a joke), to stop such traffic.

I do not see why they could not shutdown and patch your desktops if the JBoss app server is running. I think they are confusing production machines with desktop development machines. If your desktop reboots to apply a patch, who cares that the app server is down? Only you. But then your whole desktop rebooted so it is not like you could do anything anyway.

One solution that we implemented was to take offending machines and place then on a private network. Several of our machines could not be upgraded to meet corporate security requirements for various reasons, so we placed them all on a separate network with their own routers, etc. We then took a "corporate approved" machine on the corporate network, added in a second NIC and connected that NIC to the private network. To gain remote access to a machine on the private network, we remote desktop (or VNC) to the "bridge" machine, and from there remote desktop (or VNC) to the desired machine.

I think in your situation I would ask for a second desktop (most places have older PCs sitting around), hook the second desktop to the corporate network to do email, etc. Then take my primary desktop off the network and do my development work in peace. If several people in your group are in the same situation, you could network all of the development PCs and perhaps get another PC to host the database. You could even use that PC as the "bridge" to the corporate network.

We do the same as PeterJ mentioned in the last paragraph.

Our environment is an extremely secured area and network. Therefore they gave us a separate pc to go on the the secured network to view email within the corporate environment.

Our development PCs are on a separate isolated network with each of our own JBoss sandbox. We need our individual sandboxes to develop in, till we were able to interface our platform developments together. If we didn't we would be stepping on one anothers processes before we were ready to interface.

Ah, one more thing. That PC they gave me for my secured email, after 1 year I told them to get rid of it out of my cubicle and they did. I believe, if the only function of a PC is to run my email and produce nothing at the end of the day like my development machines do, it wasn't worth to keep.

That machine was so secured with software and hardware (and I could not even admin that PC for basic maintenance). I would come in every morning and see it on because the network admins ran remote scans and updates nightly. No wonder it burned up 2 hard drives. As far as my development PCs (two of them), they have ran great for 4 years no problems.:)

They took out that PC, 1 month ago when they noticed I had unplugged it and had it plastered it with post-its and taped class diagram pages on its PC monitor. I couldn't use the monitor for my other PCs because it was a security violation. Go figure.

Now I read my email at home with better security then I had at work.

adldev - ROTFLOL! Your story is a classic, thanks for brightening my day.