That is fair enough comment but is really a seperate issue as at the end of
the day, there is definitely a problem with the WebLogic console. I am sure
it is a bug as the problem is intermittent - sometimes I can connect using
an anonymous user and sometimes I cannot.
I configured WebLogic to deny access to JNDI to all users except the system
user, yet I could still connect to WebLogic as the anonymous user using the
console.
I will email my findings to the WebLogic support guys. But in the mean time
I would recommend that everyone deny access by anonymous users using the
following command in the configuration file:
weblogic.security.disableGuest=true
And specifically restrict access permissions on the JNDI at the very root,
using something like:
weblogic.allow.modify.weblogic.jndi=system
weblogic.allow.list.weblogic.jndi=system
weblogic.allow.lookup.weblogic.jndi=system,authorized_clients
Myles
> -----Original Message-----
> From: Peter Delahunty [SMTP:[EMAIL PROTECTED]]
> Sent: 04 December 2000 11:22
> To: [EMAIL PROTECTED]
> Subject: Re: WebLogic console
>
> I am presuming that the console talks to the server via RMI. Therefore any
> company with half decent security will have a firewall set up to block the
> port RMI talks over. Therefore you have to get passed the firewall first.
>
> -----Original Message-----
> From: Jeffery, Myles [mailto:[EMAIL PROTECTED]]
> Sent: Monday, December 04, 2000 9:51 AM
> To: [EMAIL PROTECTED]
> Subject: Re: WebLogic console
>
>
> I wonder how many production WebLogic sites haven't done this :-)
>
> Not many I bet. Just point a WebLogic console at a running server,
> connect
> as an anonymous user, and start to browse the EJB environment settings - I
> am sure you could dig up a whole lot of sensitive information from it:
> passwords, access control info etc...
>
>
>
> > -----Original Message-----
> > From: Evan Ireland [SMTP:[EMAIL PROTECTED]]
> > Sent: 04 December 2000 08:52
> > To: [EMAIL PROTECTED]
> > Subject: Re: WebLogic console
> >
> > anurag mandloi wrote:
> > >
> > > You can deny access to anonymous and guest users in the
> > weblogic.properties
> > > file.
> >
> > I wonder how many production WebLogic sites haven't done this :-)
> >
> > > See documentation on Security Settings in Properties file.
> > > >
> > > >Hi,
> > > >
> > > >I apologise for posting a WebLogic specific question here and not to
> > the
> > > >newsgroup - but a technical hitch is currently preventing me from
> > accessing
> > > >the newsgroup. Anyway here is my question:
> > > >
> > > >I am wondering if WebLogic has a major security flaw: I can protect
> > access
> > > >to all EJB resources and references in the JNDI service using
> > WebLogic's
> > > >access control lists perfectly. Only authorized clients I permit can
> > > >access
> > > >the resources. However, this whole architecture is seemingly blown
> > apart
> > > >beacuse the WebLogic console allows anonymous users to connect to
> > WebLogic
> > > >and interrogate every part of the server. For instance - some of my
> > EJBs
> > > >have sensitive data in their environment properties - but using the
> > > >console,
> > > >an anonymous user can interrogate the EJB for all its' environment
> > > >properties and values. Additionally, all EJB references I protect
> > access
> > > >to
> > > >in the JNDI service can be easily viewed via the console.
> > > >
> > > >Is it possible to control access to the WebLogic console as I have
> not
> > > >found
> > > >any information within the WebLogic documentation. It is very
> worrying
> > if
> > > >anonymous users have the abililty to arbitrarily investigate one's
> > > >application structure.
> > > >
> > > >I am using WebLogic 5.1.
> > > >
> > > >Thanks,
> > > >
> > > >Myles
> > > >
> > >
> >
> >=========================================================================
> > ==
> > > >To unsubscribe, send email to [EMAIL PROTECTED] and include in
> the
> > body
> > > >of the message "signoff EJB-INTEREST". For general help, send email
> to
> > > >[EMAIL PROTECTED] and include in the body of the message "help".
> > > >
> > >
> > >
> >
> __________________________________________________________________________
> > ___________
> > > Get more from the Web. FREE MSN Explorer download :
> > http://explorer.msn.com
> > >
> > >
> >
> ==========================================================================
> > =
> > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> > body
> > > of the message "signoff EJB-INTEREST". For general help, send email
> to
> > > [EMAIL PROTECTED] and include in the body of the message "help".
> >
> > --
> >
> __________________________________________________________________________
> > ______
> >
> > Evan Ireland Sybase EAServer Engineering
> > [EMAIL PROTECTED]
> > Wellington, New Zealand +64 4
> > 934-5856
> >
> >
> ==========================================================================
> > =
> > To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> > body
> > of the message "signoff EJB-INTEREST". For general help, send email to
> > [EMAIL PROTECTED] and include in the body of the message "help".
>
> ==========================================================================
> =
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
>
> ==========================================================================
> =
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
