> why is it that neither the web-console (nor the
> jmx-console) are
> behind a username/password authentification and thus
> a JBoss
> appserver is open for beeing managed (attacked) from
> by default? Would'nt it be better to have it the
> other way around?
> How can I secure the web-console? I did it for the
> but since the web-console comes in a single war file
> it's a little
> bit more work (which I would have to do for a list of
> JBoss servers
> in our environment). Is there an easier way than
> securing and repacking it?
No. Plus you need to secure the applet separately from the servlets. Sacha was hacking this a while back but I don't know if he ever came to an adequate solution.
Anyone come up with a solution for this? It would be odd for a "production ready" JBoss application server to be remotely exploitable just by installing it.
All distros are open in several ways, if you don't want the web-console, just remove the WAR.