| Summary: | SOA-Platform Port 8083, serving all deployed classes | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise SOA Platform 4 | Reporter: | Marc Schoenefeld <mschoene> | ||||
| Component: | EAP | Assignee: | Mike Brock <cbrock> | ||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 4.2 IR5 | CC: | jwulf, rruss | ||||
| Target Milestone: | --- | ||||||
| Target Release: | 4.2 CP01 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| URL: | http://jira.jboss.org/jira/browse/SOA-131 | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: |
10:17:26,761 INFO [Server] Starting JBoss (MX MicroKernel)...
10:17:26,773 INFO [Server] Release ID: JBoss [EAP] 4.3.0.GA (build: SVNTag=JBPAPP_4_3_0_GA date=200710252032)
Linux mschoene.csb 2.6.18-8.1.8.el5 #1 SMP Mon Jun 25 17:06:19 EDT 2007 i686 i686 i386 GNU/Linux
|
|||||
| Last Closed: | 2008-04-10 12:11:12 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Bug Depends On: | |||||||
| Bug Blocks: | 777593 | ||||||
| Attachments: |
|
||||||
|
Description
Marc Schoenefeld
2007-11-12 14:36:46 UTC
Link: Added: This issue is related to JBAS-4540 This is ultimately a non-issue, because the server does not respond to non-local requests, regardless of the binding address. Link: Added: This issue is a dependency of SOA-101 I'm just not sure we can possibly secure this out of the box. Certainly, RMI is one of ESB's supported endpoint protocols, and I don't see how we can possibly automatically limit serving the classes across the wire, just based on whatever business classes are present. That would seem to me, to be something that could only be accomplished programmatically from ESB itself (if possible at all). It would seem to me that this would have to be something that is documented in the platform documentation, for informing the client on how to secure the server after deploying their projects. This is fixed in the production config. Port 8083 still listens, but will only serve deployed EJB remote interfaces by default. However, this webserver does not throw 404 errors, but rather returns blank content for requests where there is no class found, and this should be understood in testing. Link: Added: This issue is related to SOA-406 Link: Added: This issue is a dependency of SOA-406 Link: Removed: This issue is a dependency of SOA-406 Link: Removed: This issue is related to SOA-406 documented. Affects: Added: [Release Notes] Same results with CP01 build. Attachment: Added: CP01.txt email from Marc: Hi Joshua, the only reliable workaround is fixing it. A fix is available since 20070724, see http://jira.jboss.com/jira/browse/JBAS-4540 For a temporary fix there are some flags in the the config for org.jboss.web.WebService mbean that promise to disable non-EJB class download. <attribute name="Port">8083</attribute> <!-- Should resources and non-EJB classes be downloadable --> <attribute name="DownloadServerClasses">false</attribute> <attribute name="DownloadResources">false</attribute> Thanks Marc Link: Added: This issue depends JBPAPP-245 I see no reason why the standalone server does not behave in the same way. I suspect that when data and jars have been stripped out during its creation that we lost something. See last comment, this is a documentation issue. The setting to serve the classes is needed for some of the RMI quick starts. The user needs to know that with the standalone server it is necessary to change this setting to false in order to secure the environment for production. Release noted: 3.5.2. Preventing download of non-RMI classes on Port 8083 in the standalone version of the server If you use RMI (Remote Method Invocation) you will want to make Port 8083 of your server accessible to clients. The EAP version of the server is configured out of the box to restrict the classes that it serves on this port. The standalone server, however, is configured out of the box to serve all deployable classes via this port. This has been done to allow the quickstarts to function correctly by default. To change this behaviour you need to modify the following line in default/conf/jboss-service.xml: <!-- Should non-EJB .class files be downloadable --> <attribute name="DownloadServerClasses">false</attribute> The value for this attribute is set as true out of the box, and it should be set to false in actual production deployment to prevent the server from serving all deployable classes on Port 8083. Verified in the release notes here: https://svn.corp.jboss.com/repos/soa/trunk/build-tools/docs/SOA_Release_Notes.txt It's in the CR3 release note too:
3.5.2. Preventing download of non-RMI classes on Port 8083 in the
standalone version of the server
If you use RMI (Remote Method Invocation) you will want to make
Port 8083 of your server accessible to clients. The EAP version of
the server is configured out of the box to restrict the classes
that it serves on this port. The standalone server, however, is
configured out of the box to serve all deployable classes via this
port. This has been done to allow the quickstarts to function
correctly by default.
To change this behaviour you need to modify the following line in
default/conf/jboss-service.xml:
<!-- Should non-EJB .class files be downloadable -->
<attribute name="DownloadServerClasses">false</attribute>
The value for this attribute is set as true out of the box, and it
should be set to false in actual production deployment to prevent
the server from serving all deployable classes on Port 8083.
|