subject:"\[jboss\-user\] \[JBoss Seam\] \- Re\: Glaring Security Hole\?"

[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?

2006-09-19 Thread bfagan

I don't think it's any more of a hassle than creating a @Remote or @WebSerivce 
interface.  In fact we're talking about just one tag, @WebRemote, in a class.

It would also be easier for developers who are new to Seam Remoting to follow 
if it is consistent.  I have to use @WebRemote on sessions, but @NoWebRemote 
on entities? Why'd that do that?

If you're worried about existing developers or eliminating the speed-bump, you 
can always create a property in a config file somewhere that would 
enable/disable entity model remoting restrictions.

From a security standpoint, I think it's much better to err on the side of 
security, i.e. you have to specifically enable which entity models you want 
exposed.

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=3972579#3972579

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3972579
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user

[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?

2006-09-18 Thread bfagan

I'm not stating that the data is insecure, but that the model is.

A company's data model can constitute proprietary information or trade secret.

What I'm blatantly saying is that as much as sessions beans require @WebRemote 
to have their methods exposed under Seam Remoting, entity beans in the same 
distribution should be afforded the same level of preventative measure.

Instantiating a *new* object tells me plenty about how the database is modeled 
and in some cases can reveal proprietary information or trade secret.

A developer may wish to prevent various entity beans from having their model 
exposed.  I'll go a step further and say that entity beans should not have 
their model exposed by default, but that they should be configured with 
@WebRemote as well.  It fosters uniformity and errs on the side of security.

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=3972331#3972331

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3972331
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user

[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?

2006-09-18 Thread sbryzak2

I wouldn't go as far as to constrain all entities by default, it would add 
another speedbump that a developer would need to be aware of when 
implementing remoting in their app.  Section 7.9 in the remoting chapter of the 
documentation describes how object graphs returned by invoking a session bean 
can be constrained to exclude sensitive or unnecessary objects.  I've got no 
problem implementing a similar exclusion for entity classes.  Maybe 
@NonRemotable, or even @NoWebRemote would be a good annotation for this use 
case.

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=3972452#3972452

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3972452
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user

[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?

2006-09-17 Thread [EMAIL PROTECTED]

That code instantiates a *new* object with empty values. Hence no security hole.

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=3972152#3972152

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3972152
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user

[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?

2006-09-15 Thread bfagan

Is the documentation completely wrong then?

In section 7.2.2 Seam.Component, the example shows an entity bean that 
implements serializable with @Name('customer') which is later called through:

var customer = Seam.Component.newInstance(customer);

customer.setFirstName(John);
// Or you can set the fields directly
customer.lastName = Smith;

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=3971913#3971913

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3971913
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user

[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?

2006-09-14 Thread [EMAIL PROTECTED]

bfagan wrote : Please correct me if I'm mistaken, but my impression from the 
Seam Reference document is that if you enable Seam Remoting then any Entity 
bean that you've given a Seam @Name has it's data model exposed.
  | 
  | Let's say you have a large corporation and a developer uses a wonderful IDE 
wizard to turn their database model into a package of easy to use Seam-enabled 
entities.  Next the developer enables Seam Remoting to use an @WebRemote 
enabled session bean.  
  | 
  | Any competitor to said large corporation can search javascript segments for 
Seam.Component.newInstance() methods, call out to the Seam Remoting URL garner 
information about the entities and reverse engineer a data model.
  | 
  | It is clear that session beans require @WebRemote annotation.  Why are 
entity beans automatically exposed without such an annotation?

They are only exposed if they are the return value of a method marked @Remote. 
And only their state is exposed, not their methods.

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=3971497#3971497

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3971497
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user

[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?

2006-09-13 Thread sbryzak2

Entity beans (and in fact, any JavaBean objects that are returned or referenced 
in the return value by a session bean method) are represented by an equivalent 
Javascript class to provide the developer with a familiar object model to 
work with.  Until now, no-one has expressed any issues with exposing the model 
(I guess it depends on the nature of the project), although I suppose that it 
wouldn't be difficult to annotate certain entities with @Restricted or 
something like this which would prevent it from ever being used in remoting.  
If you'd like such a feature, please raise a JIRA request.

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=3971438#3971438

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3971438
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user

[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?

[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?

[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?

[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?

[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?

[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?

[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?

7 matches

Site Navigation

Mail list logo

Footer information