How do I disable RMI in JBoss?

Due to various RMI exploits out there and the fact that I don't use it anyway, I'd like to disable RMI on my JBoss server at least externally, but I'm not sure how to do this without breaking things.

I've tried disabling the JRMP invoker, which seems to work but the problem is that I'm unable to then start and stop my server because the command:

sudo -u $JBOSS_USER $JBOSS_HOME/bin/shutdown.sh -S

returns the error:

Exception in thread "main" javax.naming.NamingException: Could not dereference object [Root exception is javax.naming.NameNotFoundException: invoker not bound]
    at org.jnp.interfaces.NamingContext.resolveLink(NamingContext.java:1215)
    at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:758)
    at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:627)
    at javax.naming.InitialContext.lookup(InitialContext.java:351)
    at org.jboss.Shutdown.main(Shutdown.java:214)
Caused by: javax.naming.NameNotFoundException: invoker not bound
    at org.jnp.server.NamingServer.getBinding(NamingServer.java:529)
    at org.jnp.server.NamingServer.getBinding(NamingServer.java:537)
    at org.jnp.server.NamingServer.getObject(NamingServer.java:543)
    at org.jnp.server.NamingServer.lookup(NamingServer.java:267)
    at org.jnp.server.NamingServer.lookup(NamingServer.java:270)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:592)
    at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
    at sun.rmi.transport.Transport$1.run(Transport.java:153)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
    at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:466)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:707)
    at java.lang.Thread.run(Thread.java:613)
    at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:247)
    at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:223)
    at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:126)
    at org.jnp.server.NamingServer_Stub.lookup(Unknown Source)
    at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:667)
    at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:627)
    at javax.naming.InitialContext.lookup(InitialContext.java:351)
    at org.jnp.interfaces.NamingContext.resolveLink(NamingContext.java:1209)
    ... 4 more

I don't see the invoker being referenced anywhere else in /pa开发者_JAVA百科th/to/jboss/server/default/conf/jboss-service.xml so I'm not sure what other references I would need to remove.

Any ideas on what I'm doing wrong or am I just asking for functionality that's mutually exclusive?

In JBoss 4, there are several references to the RMI invokers in:

conf/standardjboss.xml

A lot of functions in JBoss make use of RMI, even if your app doesn't. The easiest solution would be to bind JBoss to an address that isn't available remotely:

-b 127.0.0.1

Update

If you only want RMI to be bound locally, edit the BindAddress and RmiBindAddress attributes in the jboss-service.xml file:

<mbean code="org.jboss.naming.NamingService" name="jboss:service=Naming">
    <attribute name="Port">1099</attribute>
    <attribute name="BindAddress">127.0.0.1</attribute>
    <attribute name="RmiPort">1098</attribute>
    <attribute name="RmiBindAddress">127.0.0.1</attribute>
</mbean>

The problem is that shutdown.sh uses RMI to request a shutdown, so when you disabled the JRMPInvoker, you disabled shutdown.sh.

One option might be to use an HTTP post to JMXConsole to request the same.

>wget --post-data "action=invokeOp&methodIndex=0&name=jboss.system%3Atype%3DServer" \
[--user=admin --password=admin]
http://localhost:18080/jmx-console/HtmlAdaptor

It seems to work fine.

=== Update ===

The methodIndex I used in that URL was 0 which is for shutdown, but I did observe a couple of issues with that, especially when using the native APR. Using a methodIndex of 2 (exit) works much more cleanly. In addition, I added wget options for timeout and tries. The revised version looks like this:

wget --timeout=1 --tries=1 \
--post-data "action=invokeOp&methodIndex=2&name=jboss.system%3Atype%3DServer" \ [--user=admin --password=admin]
http://localhost:18080/jmx-console/HtmlAdaptor