In JIRA issue OPENEJB-711, Jarek Gawor wrote: > A simple change to ensure that hostAuthorization() is > called. However, this has significant implications. If applied, by > default only local ip addresses will be allowed to access the server > (which I think matches 2.0 behavior) but is different from previous > openejb 3.0 beta releases were all ip addresses were allowed by > default. I can submit another patch if a different solution is > needed (e.g. to match 3.0 beta behavior)
Wished I'd spotted this one sooner. I think by now we might be better off allowing all hosts to access unless the only_from is specified. Now that I think of it, I'm pretty sure the xinet.d default for only_from is that everyone is allowed: only_from as well as the other server service properties were designed after xinet.d. Not sure why we ever set the default to localhost only (likely my bad idea).
On a related note, Gianny added some really great masking in 2.x to match the equivalent xinetd functionality, allowing for more ways to express who can access the service can be used other than a fixed IP. One of the few gems we haven't ported yet. This is the commit if you feel like porting http://svn.apache.org/viewvc?view=rev&revision=445374
-David
