Hi,
I apologise for posting a WebLogic specific question here and not to the
newsgroup - but a technical hitch is currently preventing me from accessing
the newsgroup. Anyway here is my question:
I am wondering if WebLogic has a major security flaw: I can protect access
to all EJB resources and references in the JNDI service using WebLogic's
access control lists perfectly. Only authorized clients I permit can access
the resources. However, this whole architecture is seemingly blown apart
beacuse the WebLogic console allows anonymous users to connect to WebLogic
and interrogate every part of the server. For instance - some of my EJBs
have sensitive data in their environment properties - but using the console,
an anonymous user can interrogate the EJB for all its' environment
properties and values. Additionally, all EJB references I protect access to
in the JNDI service can be easily viewed via the console.
Is it possible to control access to the WebLogic console as I have not found
any information within the WebLogic documentation. It is very worrying if
anonymous users have the abililty to arbitrarily investigate one's
application structure.
I am using WebLogic 5.1.
Thanks,
Myles
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
