Removing the HTTP Invokers

Invokers can be scary to have around because they give the outside world a potential access point to your server. When properly secured, they don't cause you much worry, but you do have to know they are there before you can make sure they are secure.

Invokers that listen on a specific port for remote connections are easy to track down. Standard networking tools such as nmap, lsof, and netstat can tell you what ports are in use on a machine. What isn't so easy is tracking down invokers that tunnel over other protocols, HTTP being the primary offender.

HTTP invocations are important. Oftentimes overzealous network administrators limit the access between two networks to port 80. That forces you, the developer, to find ways to tunnel application access over that one port. JBoss can perform every type of remote access over port 80: JNDI, JMX invocations, EJB invocations, etc....

JBoss is configured to allow access over HTTP by default; however, most applications don't need to tunnel over port 80. In that case, having the HTTP invokers is more of a liability, and the best policy is to just remove them.

How do I do that?

Removing the HTTP invokers is easy. The HTTP invokers are managed by a single service, http-invoker.sar. Just remove that entire directory from the deploy directory and you will be all set, knowing that remote clients cannot access through the HTTP invoker back door.