It is possible to retrieve certain files such as the web.xml because of some security holes on port 8083. JBoss uses the latter for its internal web service (class loading). For example, a URL like this one
gets the web.xml file.
Is there a way to disable the JBoss web service? All we need JBoss for is as an EJB container and persistence manager, with some entity beans whose methods are being remotely invoked upon through an HTTP RDF protocol. We have this in the jboss-service.xml:
<mbean code="org.jboss.web.WebService" name="jboss:service=WebService"> <attribute name="Port">8083</attribute> <attribute name="BindAddress">..IP address..</attribute> <!-- Should resources and non-EJB classes be downloadable --> <attribute name="DownloadServerClasses">true</attribute> </mbean>
Either set DownloadServerClasses to only allow downloading of EJB classes:
or remove the service from the conf/jboss-service.xml altogether as its not needed.