3.8 JBoss-specific security recommendations

This section contains application server configuration recommendations that are specific to JBoss 4.2.x when used to run LiveCycle.

3.8.1 Disable JBoss Management Console and JMX Console

Access to the JBoss Management Console and JMX Console is already configured (JMX monitoring is disabled) when you install LiveCycle on JBoss by using the turnkey installation method. If you are using your own JBoss Application Server, ensure that access to the JBoss Management Console and JMX monitoring console are secured. Access to the JMX monitoring console is set in the JBoss configuration file called jmx-invoker-service.xml.

3.8.2 Disable directory browsing

After logging into Administration Console, it is possible to browse the console’s directory listing by modifying the URL. For example, if you change the URL to one of the following URLs, a directory listing may appear:

http://<servername>:8080/adminui/secured/ 
http://<servername>:8080/um/

To disable the directory listing, set the value of the listings initialization parameter of the DefaultServlet property to false as shown in bold in the [JBoss root] \server\default\deploy\jbossweb-tomcatxxx.sar\conf\web.xml file, as shown in this example:

<servlet> 
    <servlet-name>default</servlet-name> 
    <servlet-class> 
        org.apache.catalina.servlets.DefaultServlet 
    </servlet-class> 
    <init-param> 
        <param-name>listings</param-name><param-value>false</param-value> 
    </init-param> 
    <load-on-startup>1</load-on-startup> 
</servlet>]

// Ethnio survey code removed