Resolution

1. 1. Limit access to localhost. By default it binds to the address used in -b . See article How to restrict jmx invoker to localhost in JBoss EAP?

2. Secure jmx console
   It is secured by default  out of the box due to the presence of the following entry in

/deploy/jmx-invoker-service.xml

  <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
                     securityDomain="java:/jaas/jmx-console"/>

Steps 1 and 2 only sets up authentication.

What does this mean ?

• One can still  programatically call JMX and as long as you have a valid  user/pass it will let you run any method.
• It is just  checking to see if the user / password matches one in the properties  files
• If someone sets up the properties files or  setup a login config that hits ldap for instance, then anyone who has a  user/pass that is accepted can invoke methods on the MBean server ---  the danger with this is, one could invoke shutdown and stop the server  or change other things.

What needs to be done in addition ?

An authorization interceptor should be added after the AuthenticationInterceptor

<interceptor code="org.jboss.jmx.connector.invoker.AuthorizationInterceptor"
                     authorizingClass="org.jboss.jmx.connector.invoker.RolesAuthorization"></interceptor>

It will require that the user have the JBossAdmin role to be able to invoke methods on the MBean Server

A custom authorizingClass can be also be defined if required. The  object is a POJO and doesn't have to implement an interface, but it  should have this method:

public void authorize(Principal caller, Subject subject, String objectname, String opname)

And it can throw a java.lang.SecurityException

In the custome authorizingClass one could look at the user calling, and the objectname of the  MBean and operation name they want to invoke, and decide if it should  be allowed.

See http://community.jboss.org/wiki/SecureTheInvokers