We've had one client affected by this 'Mark Cox's Blog: Statement
Regarding Security Threat to JBoss Application Server | JBoss Community'

I haven't tried to recreate in a clean environment, but they were on a
3.7 install with jmx-console security enabled. The issue says it is
related to JBoss 4, but the JBoss shipped with the User App has the
incorrect security constraint.


To summarize - when securing the jmx-console/web console:

Make sure to remove the http-method lines.

If someone could verify whether or not this is in the 4 variant, that
would be great. If not, I'll likely update in a week.

42sd's Profile: http://forums.novell.com/member.php?userid=17383
View this thread: http://forums.novell.com/showthread.php?t=448118