[metrics] change in security shield

[Romain Manni-Bucau <rm...@gmail.com>]

Hi all

Wdyt of https://github.com/apache/geronimo-metrics/pull/4 ?

My last comment requires some discussion I think but since pr is not from G
itself, I dont want to wait too long before getting it in.

Personally, I'd be tempted to add an event fired only if there is an
observer and enhance the doc for meecrowave/tomee/tomcat + support ranges
with a warning saying it is not recommended but I also get the easiness to
not need to observe the event.

Main point is to ensure only the monitor (prometheus or equivalent) can
call the metrics endpoint since some sensitive - or even pii - data can be
there.

Romain