Author: rmannibucau Date: Tue Mar 15 07:48:08 2016 New Revision: 1735025 URL: http://svn.apache.org/viewvc?rev=1735025&view=rev Log: TOMEE-1732 patch from Robert Panzer on ejb protocol, thanks Robert
Modified: tomee/site/trunk/content/ejbd-transport.mdtext Modified: tomee/site/trunk/content/ejbd-transport.mdtext URL: http://svn.apache.org/viewvc/tomee/site/trunk/content/ejbd-transport.mdtext?rev=1735025&r1=1735024&r2=1735025&view=diff ============================================================================== --- tomee/site/trunk/content/ejbd-transport.mdtext (original) +++ tomee/site/trunk/content/ejbd-transport.mdtext Tue Mar 15 07:48:08 2016 @@ -1,5 +1,8 @@ Title: Ejbd Transport +The Ejbd Transport allows to remotely access EJBs that have a remote interface. +Nevertheless it is not based on IIOP. + Ejbd Transport is different using TomEE or OpenEJB. In OpenEJB it uses openejb http layer and ejbd is configured through ejbd service (same for ejbds). @@ -28,3 +31,58 @@ containing your webapp context. Simply c and set the url mapping to what you want (let say /foo/*). Then use the provider url http://<host>:<port>/<webapp context name&lgt;/foo +### Remote communication and serialization + +Remotely calling EJBs, independent of using Ejbd or other RMI/IIOP based protocols, involves serialization and deserialization of objects. +Deserializing unknown content coming from an untrusted source imposes a security risk as the stream could be manipulated. +A much publicized [vulnerability](http://www.kb.cert.org/vuls/id/576313) was found in the commons-collections library which allowed to remotely execute arbitrary code simply by deserializing instances of the class `InvokerTransformer`. + +To prevent this risk TomEE and the OpenEJB client since 1.7.4 before deserializing every object checks its class against a black list and a white list. +The default black list is defined as `*`, meaning that requests cannot be deserialized at all and the Ejbd transport in fact cannot be used. + +The black list and white list is configured via the system properties: + +- `tomee.serialization.class.whitelist` +- `tomee.serialization.class.blacklist` + +You will also find these properties in [System Properties Listing](properties-listing.html) + +The default for `tomee.serialization.class.whitelist` is empty, the default for `tomee.serialization.class.blacklist` is `*`. +The black list has a higher priority than the white list. +That means that you have to make sure that you add a required class to the white list and at the same time remove it from the black list. + +If an EJB request fails because a class is not whitelisted you will find this log entry: + + WARN - "null OEJP/4.7" FAIL "Security error - foo.Bar is not whitelisted as deserialisable, prevented before loading it." - Debug for StackTrace + +If you trust this class and want to support serialization in remote communication you have to configure these properties appropriately both on server side as well as on client side. + +If you only want to support serialization of the classes `foo.Bar` and `foo.Baz` you can configure the properties like this: + + tomee.serialization.class.whitelist = foo.Bar,foo.Baz + tomee.serialization.class.blacklist = - + +If you trust all classes in the package `foo` define the properties like this: + + tomee.serialization.class.whitelist = foo. + tomee.serialization.class.blacklist = - + +(Don't forget the trailing `.` after foo, as it will also whitelist all classes in the package `foo2` otherwise.) + +If you trust all classes in the package `foo` except the class `foo.Bar` you have to configure the properties like this: + + tomee.serialization.class.whitelist = foo. + tomee.serialization.class.blacklist = foo.Bar + +#### Remote communication and Arquillian tests + +The mechanism described above principally also works when running Arquillian tests. +As the Ejbd transport is already used for deploying applications all Arquillian tests would fail with the default settings. + +Therefore the TomEE Arquillian adapter automatically starts the container so that all classes except for a set of well-know dangerous classes are whitelisted. + +As Ejbd is by default disabled since TomEE 7.0.0, the TomEE Arquillian adapter automatically activates it when starting starting a remote container. + +#### Remote communication and the TomEE Maven Plugin + +The same mentioned above on Arquillian and TomEE is also valid when using the TomEE Maven Plugin. \ No newline at end of file