Re: Security problem with javax.ejb.Handle

Thu, 2 Sep 1999 20:13:37 -0700 

----- Original Message -----
From: Richard Monson-Haefel <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 02, 1999 9:19 AM
Subject: Security problem with javax.ejb.Handle


> This issue was brought up without resolution over a year ago.  I had hoped that
> it would be adequately addressed in EJB 1.1, but it hasn't.  In fact now it
> seems worse, because now the security flaw is mandated not implied as was the
> case in EJB 1.0.
>
> According to section 8.7 of the EJB 1.1:
> "At the minimum, a program running in one JVM must be able to obtain and
> serialize the handle, and another program running in a different JVM must be
> able to deserialize it and re-create an object reference."
>
> Since the only method available on Handle is getEJBObject( ), its assumed that
> authentication is NOT used to obtain the EJBObject reference.  If no
> authentication is used no identity is presented, so authorization (access
> control) can not be done (how can you authorize an identity that has not been
> made available).  Its possible that the Handle is supposed to store the identity
> and credentials of the client that serialized it, and then use that information
> to automatically authenticate when the Handle is used, but this seems like a
> serious security flaw.

A possession of a handle does not automatically establish the right to access
the EJB object (in other words, a handle is not a capability). The serialized handle
should *not* store the credentials of the client that serialized the handle. The 
credentials
of the client that deserialized the handle and attempts to invoke the EJB object should
be passed on the invocation.

>
> --
> Richard Monson-Haefel
> Author of Enterprise JavaBeans
> Published by O'Reilly & Associates
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff EJB-INTEREST".  For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
>
>

===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST".  For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".

Reply via email to