On Sep 15, 2004, at 2:14 PM, Ken Horn wrote:
On WLS, the datastore on the default drivers is serializable (it's bound to the clustered jndi, via a ClusterRemoteRef), and so an servlet / ejb / client app can grab the ds from jndi (this may be using JNDI Reference / Factory stuff). The ds can then create a direct db connection from the code to the db.
Ah your talking WLS. Does this only work when you use weblogic's drivers or does it work with any driver? I suppose we could do the same thing. Does WLS handle moving the driver classes to the client or does it assume you have all the classes you need on the client?
Therefore, if I bind a datasource into jndi, and fail to protect it via some contorted config (what we've thought of so far, is facades calling runAs beans through local interfaces), any user that can authenticate, and can write a java client (or find one), can access the database direct.
Assuming it has the permissions.... or does WLS serialize the username and password?
I was wondering if the same is possible in Geronimo...
So key questions are:
* are datasources by default serializable (does Geronimo use something like the wls remote ref or is the raw driver datastore used?)
Not currently, but if you want it start by adding a JIRA "New Feature" issue.
* can client apps access the server jndi tree?
Not yet. Currently an client can only see EJBs with Remote interfaces via JNDI.
* if yes for the previous q, is there a way to bind an object that isn't remotely accessible?
N/A, but we may change the above so what do you suggest we do?
-dain
