JBoss web service console

Description

The JBoss web service console is publicly accessible on this server. This administrative interface, typically available at /jbossws/services, provides detailed information about deployed web service endpoints, including service names, WSDL locations, and invocation metrics. While intended for legitimate administrative purposes, this console should not be exposed to unauthorized users as it reveals the application's internal service architecture.

Remediation

Restrict access to the JBoss web service console using one or more of the following methods:

1. Network-level restriction: Configure firewall rules or network ACLs to limit access to the console URL (/jbossws/*) to trusted IP addresses or internal networks only.

2. Application-level authentication: Implement authentication and authorization controls by modifying the web.xml configuration file for the jbossws context. Add a security constraint to require authenticated access:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>JBoss WS Console</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>admin</role-name>
  </auth-constraint>
</security-constraint>

3. Disable the console: If not required for operations, completely disable or remove the jbossws-console.war deployment from the server.

4. Use a reverse proxy: Place the application behind a reverse proxy (such as Apache or Nginx) and configure it to block external access to administrative paths while allowing access only from authorized management networks.