We're running JBoss 3.2.1 and we've just discovered that http://server:8083/WEB-INF./web.xml allows viewing of the web.xml under jboss-net.sar/jboss-net.war.
We're using webservices, so removing the .sar is not an option. Is there a way we can restrict access to port 8083 otherwise ?
Any help will be much appreciated.
Close 8083 with firewall. There used to be a bug with the 8083 web service that you could not remove it, I don't know if it's fixed or not. In most cases you should always block 8083 on production systems (or at least make sure it only serves EJB resources not all server resources).