Alex,
You could use the Tomcat RemoteAddrValve to restrict this app to only the localhost.
I personally like to have some apps (like the manager interface and the jmx-proxy) available only to sysadmins, using either the above valve or OS firewall rules (such as Linux iptables).
Of course I'd also change those apps config to use SSL (sometimes enforcing client certificates) and user authentication (preferably from a LDAP directory such as OpenLDAP). Defense in deep is allways nice to have, and with this I can provide remote support (preferably through OpenVPN or a SSH tunnel) with a certain level of confidence my app servers are not open do hackers.
[]s, Fernando Lozano
Hello, Can the webapps/tomee directory be deleted for deploying a web app to production TomEE/TomEE+ server and exposed to Internet? Indeed, when delivering our app with Tomcat, we delete all default web apps as part of a list of Tomcat hardening task list. Is there any TomEE/TomE++ vital content in webapps/tomee directory ? If the answer is yes, then it means that we cannot just remove webapps/tomee, so then is there a way to make this web app inaccessible to all network adapters in order to prevent its use by attackers? Alex.
