One of the most obvious tasks for the system administrator who cares about security is restricting access to the server management interfaces. Without a security policy, every user can gain access to the application server and modify its properties.
Starting from the release 7.1.0 Beta of the application server, security is enabled by default on the AS management interfaces to prevent unauthorized remote access to the application server.
Local clients of the application server are, on the other hand, still allowed to access the management interfaces without any authentication.
The attribute which is used to switch on security on the management interface is a
security-realm which needs to be defined within ...