Security is a nagging concern for the admin in charge of a production site. Some of JBoss default settings are not secure at all, so please read carefully.

Use EJB security

The EJB specification provides the possibility to restrict access to your beans on a per-method basis, using authentication and authorization. By default, JBoss does not enforce such restrictions, and any call is allowed through the container. To enforce a security policy in JBoss, you have to setup a security domain, define roles... For a description of EJB security in JBoss, see Chapter 9, or see the section called “JAAS Based Security in JBoss”.

Open Ports

JBoss starts a number of services by default, which listen on a number of ports. For security reasons, you might want to firewall these ports and/or to close the corresponding services. The ports used by JBoss are shown in Table 11.1

Table 11.1. Open Ports

Port NumberJBoss serviceConfigured inDescriptionShould be open to
1099JNDIjboss.jcmlUsed by clients to connect to JBoss to get the initial naming context.EJB clients
AnonymousJNDI/RMIjboss.jcmlUsed by clients to lookup the naming context. This port is configurable in JBoss 2.3+. To set the port in an earlier version you have to rebuild the server, see this message.EJB clients
1476Hypersonic DBjboss.jcmlHypersonic is a pure Java DB included in JBoss as a sample.DB clients
4444RMI Object Portstandardjboss.xml / jboss.xmlUsed for clients to connect to the server.EJB clients
8082HTML JMX adaptorjboss.jcmlThis is the HTML interface for dynamic administration of JBoss services. It allows you to start, stop and review all the mbeans in the server. Don't let it open to anybody, since it allows people to deploy/undeploy applications, to view DB passwords, and even to shutdown the server!Admin
8083Webserver for Java Classesjboss.jcmlAllows clients to dynamically download classes from JBossEJB clients