Author: rmannibucau
Date: Tue Mar 15 07:48:08 2016
New Revision: 1735025
URL: http://svn.apache.org/viewvc?rev=1735025&view=rev
Log:
TOMEE-1732 patch from Robert Panzer on ejb protocol, thanks Robert
Modified:
tomee/site/trunk/content/ejbd-transport.mdtext
Modified: tomee/site/trunk/content/ejbd-transport.mdtext
URL:
http://svn.apache.org/viewvc/tomee/site/trunk/content/ejbd-transport.mdtext?rev=1735025&r1=1735024&r2=1735025&view=diff
==============================================================================
--- tomee/site/trunk/content/ejbd-transport.mdtext (original)
+++ tomee/site/trunk/content/ejbd-transport.mdtext Tue Mar 15 07:48:08 2016
@@ -1,5 +1,8 @@
Title: Ejbd Transport
+The Ejbd Transport allows to remotely access EJBs that have a remote interface.
+Nevertheless it is not based on IIOP.
+
Ejbd Transport is different using TomEE or OpenEJB.
In OpenEJB it uses openejb http layer and ejbd is configured through ejbd
service (same for ejbds).
@@ -28,3 +31,58 @@ containing your webapp context. Simply c
and set the url mapping to what you want (let say /foo/*). Then use the
provider url
http://<host>:<port>/<webapp context name&lgt;/foo
+### Remote communication and serialization
+
+Remotely calling EJBs, independent of using Ejbd or other RMI/IIOP based
protocols, involves serialization and deserialization of objects.
+Deserializing unknown content coming from an untrusted source imposes a
security risk as the stream could be manipulated.
+A much publicized [vulnerability](http://www.kb.cert.org/vuls/id/576313) was
found in the commons-collections library which allowed to remotely execute
arbitrary code simply by deserializing instances of the class
`InvokerTransformer`.
+
+To prevent this risk TomEE and the OpenEJB client since 1.7.4 before
deserializing every object checks its class against a black list and a white
list.
+The default black list is defined as `*`, meaning that requests cannot be
deserialized at all and the Ejbd transport in fact cannot be used.
+
+The black list and white list is configured via the system properties:
+
+- `tomee.serialization.class.whitelist`
+- `tomee.serialization.class.blacklist`
+
+You will also find these properties in [System Properties
Listing](properties-listing.html)
+
+The default for `tomee.serialization.class.whitelist` is empty, the default
for `tomee.serialization.class.blacklist` is `*`.
+The black list has a higher priority than the white list.
+That means that you have to make sure that you add a required class to the
white list and at the same time remove it from the black list.
+
+If an EJB request fails because a class is not whitelisted you will find this
log entry:
+
+ WARN - "null OEJP/4.7" FAIL "Security error - foo.Bar is not whitelisted
as deserialisable, prevented before loading it." - Debug for StackTrace
+
+If you trust this class and want to support serialization in remote
communication you have to configure these properties appropriately both on
server side as well as on client side.
+
+If you only want to support serialization of the classes `foo.Bar` and
`foo.Baz` you can configure the properties like this:
+
+ tomee.serialization.class.whitelist = foo.Bar,foo.Baz
+ tomee.serialization.class.blacklist = -
+
+If you trust all classes in the package `foo` define the properties like this:
+
+ tomee.serialization.class.whitelist = foo.
+ tomee.serialization.class.blacklist = -
+
+(Don't forget the trailing `.` after foo, as it will also whitelist all
classes in the package `foo2` otherwise.)
+
+If you trust all classes in the package `foo` except the class `foo.Bar` you
have to configure the properties like this:
+
+ tomee.serialization.class.whitelist = foo.
+ tomee.serialization.class.blacklist = foo.Bar
+
+#### Remote communication and Arquillian tests
+
+The mechanism described above principally also works when running Arquillian
tests.
+As the Ejbd transport is already used for deploying applications all
Arquillian tests would fail with the default settings.
+
+Therefore the TomEE Arquillian adapter automatically starts the container so
that all classes except for a set of well-know dangerous classes are
whitelisted.
+
+As Ejbd is by default disabled since TomEE 7.0.0, the TomEE Arquillian adapter
automatically activates it when starting starting a remote container.
+
+#### Remote communication and the TomEE Maven Plugin
+
+The same mentioned above on Arquillian and TomEE is also valid when using the
TomEE Maven Plugin.
\ No newline at end of file
