Security is a nagging concern for the admin in charge of a production site. Some of JBoss default settings are not secure at all, so please read carefully.
The EJB specification provides the possibility to restrict access to your beans on a per-method basis, using authentication and authorization. By default, JBoss does not enforce such restrictions, and any call is allowed through the container. To enforce a security policy in JBoss, you have to setup a security domain, define roles... For a description of EJB security in JBoss, see Chapter 9., JBossSX Security Extension Framework, or see the section called “JAAS Based Security in JBoss”.
JBoss starts a number of services by default, which listen on a number of ports. For security reasons, you might want to firewall these ports and/or to close the corresponding services. The ports used by JBoss are shown in Table 10.1.
Port Number | JBoss service | Configured in | Description | Should be open to |
---|---|---|---|---|
1099 | JNDI | jboss.jcml | Used by clients to connect to JBoss to get the initial naming context. | EJB clients |
Anonymous | JNDI/RMI | jboss.jcml | Used by clients to lookup the naming context. This port is configurable in JBoss 2.3+. To set the port in an earlier version you have to rebuild the server, see this message. | EJB clients |
1476 | Hypersonic DB | jboss.jcml | Hypersonic is a pure Java DB included in JBoss as a sample. | DB clients |
4444 | RMI Object Port | standardjboss.xml / jboss.xml | Used for clients to connect to the server. | EJB clients |
8082 | HTML JMX adaptor | jboss.jcml | This is the HTML interface for dynamic administration of JBoss services. It allows you to start, stop and review all the mbeans in the server. Don't let it open to anybody, since it allows people to deploy/undeploy applications, to view DB passwords, and even to shutdown the server! | Admin |
8083 | Webserver for Java Classes | jboss.jcml | Allows clients to dynamically download classes from JBoss | EJB clients |