Removing the Class Download Service

The last service you'll need to worry about is the class download service. The class download service allows remote RMI clients to download Java classes from the server. It's a nice idea because then you don't have to distribute your server classes to your external clients.

However, leaving the class download service running exposes anything in the server's classpath to external clients. Try accessing http://localhost:8083/login-config.xml, or worse yet, http://localhost:8083/props/jmx-console-users.properties, to see the potential problems with the class download service.

How do I do that?

To remove the ability to download class files, you need to edit conf/jboss-service.xml and remove the jboss:service=WebService MBean. It looks like this:

     <!-- ================================================== -->     <!-- Class Loading                                      -->     <!-- ================================================== -->             <mbean code="org.jboss.web.WebService"         name="jboss:service=WebService">         <attribute name="Port">8083</attribute>         <!-- Should resources and non-EJB classes be downloadable -->         <attribute name="DownloadServerClasses">true</attribute>         <attribute name="Host">${jboss.bind.address}</attribute>         <attribute name="BindAddress">${jboss.bind.address}</attribute>     </mbean> 

If you do really need the class download service for remote clients, you should at least set DownloadServerClasses to false to restrict the service to supply only EJB-related classes.

What just happened?

You saw how to remove the class download service. If you really need the class download service to facilitate the process of managing external clients, you should set DownloadServerClasses to false to limit the amount of server-side information exposed to clients.