JBoss.org Community Documentation
The http-invoker.sar
found in the deploy directory is a service that provides RMI/HTTP access for EJBs and the JNDI Naming
service. This includes a servlet that processes posts of marshalled org.jboss.invocation.Invocation
objects that represent invocations that should be dispatched onto the MBeanServer
. Effectively this allows access to MBeans that support the detached invoker operation via HTTP since one could figure out how to format an appropriate HTTP post. To security this access point you would need to secure the JMXInvokerServlet
servlet found in the http-invoker.sar/invoker.war/WEB-INF/web.xml
descriptor. There is a secure mapping defined for the /restricted/JMXInvokerServlet
path by default, one would simply have to remove the other paths and configure the http-invoker
security domain setup in the http-invoker.sar/invoker.war/WEB-INF/jboss-web.xml
descriptor.