Security hole in WSAS 2.2!

The Problem
-----------
The WSAS 2.2 admin services could be accessed by any user, without having to logging in. This means, any user, could manipulate the server instance. This is a huge security hole. The reason for this is, the wso2wsas-administration module not being engaged to the wsas admin services.

The Fix to WSAS 2.2
-------------------
The fix for this is to locate the WSO2WSAS_HOME/repository/services/wso2wsas-administration.aar file, extract it, and locate the services.xml file, within the extracted directory. Now, uncomment the following lines:

Line#21
<!--<module ref="wso2wsas-admin"/>-->

and also uncomment line#31, 32 & 33.

Next rearchive the exploded directory as wso2wsas-administration.aar (this can be done using any Zip archiver), and drop it into the WSO2WSAS_HOME/repository/services/ directory.

That's it. Now restart your server. To verify that the security fix is working properly, point your browser to https://localhost:9443/services/ServerAdmin/shutdown. If you properly applied this fix, you will get an error message with a stacktrace, which will include "Access Denied. Please login first".

For Lazy Users - Use WSAS 2.2.1
-------------------------------
If you are too lazy to do the above and want to avoid this trouble, you can download the latest WSAS 2.2.1 release (http://wso2.org/downloads/wsas/), which contains this fix. The main difference between the WSAS 2.2 & 2.2.1 releases is this security fix and some improvements to hibernate session handling, so there is no issue in migrating from WSAS 2.2 to 2.2.1.

Sorry for the inconvenience caused.

--
Thanks
Azeez