3.4 The JMXInvokerServlet servlet must be secured against web attacks - 'http-method,GET = false'
Information
The httpha-invoker.sar found in the deploy directory is a service that provides RMI/HTTP access for EJBs and the JNDI Naming service. By default older JBoss versions ship with a default set of <http-method> that allow attackers to bypass the security policy for JMX Invoker.