Hi,
I do not understand the security implications of deserializing
and serializing an java.ejb.Handle.
The security information is typically sent along with the
call. It is never associated with the remote object.
The security methods getCallerPrincipal() and isCallerInRole()
are "call" specific - not object specific. Similarly role
based authorization checks are done based on the who called
the bean - not based who created the bean.
Harish Prabandham
J2EE Reference Implementation
Java Software Division,
Sun Microsystems.
> -----Original Message-----
> From: A mailing list for Enterprise JavaBeans development
> [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Monson-Haefel
> Sent: Thursday, September 02, 1999 9:19 AM
> To: [EMAIL PROTECTED]
> Subject: Security problem with javax.ejb.Handle
>
>
> This issue was brought up without resolution over a year ago. I
> had hoped that
> it would be adequately addressed in EJB 1.1, but it hasn't. In
> fact now it
> seems worse, because now the security flaw is mandated not
> implied as was the
> case in EJB 1.0.
>
> According to section 8.7 of the EJB 1.1:
> "At the minimum, a program running in one JVM must be able to obtain and
> serialize the handle, and another program running in a different
> JVM must be
> able to deserialize it and re-create an object reference."
>
> Since the only method available on Handle is getEJBObject( ), its
> assumed that
> authentication is NOT used to obtain the EJBObject reference. If no
> authentication is used no identity is presented, so authorization (access
> control) can not be done (how can you authorize an identity that
> has not been
> made available). Its possible that the Handle is supposed to
> store the identity
> and credentials of the client that serialized it, and then use
> that information
> to automatically authenticate when the Handle is used, but this
> seems like a
> serious security flaw.
>
> --
> Richard Monson-Haefel
> Author of Enterprise JavaBeans
> Published by O'Reilly & Associates
>
> ==================================================================
> =========
> To unsubscribe, send email to [EMAIL PROTECTED] and include
> in the body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
>
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
