The JSP page resides on your own server. Your vulnerability to someone
being able to inspect java beans installed on your server and 'exploit'
them is not a problem if you configure your web server security to prevent someone
from "PUT"ing a JSP page in your web space who is not authorized to publish
documents. If just anyone can put a document in your web space you have
much bigger security problems to be concerned about than someone taking a peek at your
beans.
Trojan beans and JSP's are another matter. Thats why I wouldn't install
any beans that didn't come with the java source, and use the Java Security
Manager to limit what java classes/methods can be used in a JSP. And of
course the JVM the servlet engine is running in should be some underpriveledged
user like nobody, definitely not root. Just like the web server running as nobody.
I believe the servlet spec has already addressed the issue that the quote below
is referring to.
Regards,
Glenn
"Donald E. Vandenbeld" wrote:
>
> I came across an article about JSP on lantimes.com. I think it's an older
> article but it mentions a security problem with beans that I've not heard of
> before. I was wondering if this 'flaw' is indeed present and what can be
> done to guard against it. I am including a copy of the paragraph in
> question here:
>
> "Since a large percentage of JavaServer Pages applications are dependent on
> the use of JavaBeans components, they can potentially contain security
> flaws. To be specific, all methods defined within a particular JavaBean are
> accessible to the general public, even if the JSP application itself does
> not use them all. In other words, anyone with Web development knowledge
> could write any number of small, subversive applications, which retrieve
> sensitive information through these JavaBeans data access methods. There are
> ways to prevent such unauthorized use of JavaBeans components, but
> developers must take the time and effort necessary to implement these
> security measures. "
>
> Full article by E. Shane Turner is at:
> http://www.lantimes.com/ltparts/reviews/st68.htm
>
> Thanks, Donald
>
> ===========================================================================
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
> Some relevant FAQs on JSP/Servlets can be found at:
>
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.html
> http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
> http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
--
----------------------------------------------------------------------
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
