Thanks - I actually had found most of those instructions, but they largely refer to authentication and authorization (and largely of applications, not the default domain). I'm not even at the stage of deploying applications yet - I'm first trying to minimize the attack surface by not running unnecessary services, or at least restricting them so that they only listen on localhost.
One hint came in Chapter 9 of the Admin guide, in the section "About Firewalls". It describes how only ports 8080 and 8181 should be allowed, and opening the RMI-IIOP listener is possible though a security risk. So this is the level of security that I'm trying to achieve first, but I don't want to have to rely on the firewall to secure a risky deployment. Rather, I'd like to start with a secure standalone SJSAS, and then have the firewall act as a further line of defense.
Am I just being overly paranoid? Do real-world deployments run with these services listening on all IP addresses? Or does everyone do what I've done, and just fix what they can see and hope that things are then secure?
[Message sent by forum member 'justinsb' (justinsb)]
http://forums.java.net/jive/thread.jspa?messageID=248692