For development it was good enough to have JBoss be bound to localhost.
Now at the production setup it must be reachable from somewhere else.
So I bind JBoss at startup to the servers public network interface eth0.
But now its doors are wide open.
I read the article http://www.jayson.in/programming/how-to-configure-jboss-as-production-settings-and-tuning-tips.html.
I removed the home page server, jmx console, web console, uuid generator, http invoker, mail service and monitoring service.
I think I don't have to secure waht doesn't exist.
But there is an important point I wasn't able to solve: JNDI
What about JNDI? I found some tips like "change default port" but that isn't security as I understand.
Everybody is able to call his local shutdown script with my IP (and port) and my server will shutdown .. :(
I don't need JNDI to listen to remote hosts.
JNDI is used for local tasks only.
The only communication with remote hosts is, that a remote host must be able to call a servlet at port 8080.
This servlet will rise some EJB calls ... ans so on.
So how to get JNDI only listen to calls from localhost?
Or how to secure it using username/password?
Or other standard methods?
Unfortunaltely I wasn't able to find the right information.