Evan Ireland wrote:
> Laird Nelson wrote:
> > On a related note: I've observed with Weblogic and other ejb containers
> > that if you include SECURITY_PRINCIPAL and SECURITY_CREDENTIALS in this
> > new InitialContext() call that this applicable-to-JNDI-only information
> > is used to seed the *ejb container's* calling principal! This is also
> > (oddly enough) encouraged in some example code that I've seen. Surely
> > this is wrong?! The SECURITY_PRINCIPAL etc. used at the JNDI layer is
> > NOT the same as the calling principal at the EJB layer, correct?
> Not necessarily, but on the other hand if the JNDI provider is hosted within
> the EJB server, they may be one and the same.
But what happens if you stash that new InitialContext away somewhere?
Now if someone else gets hold of that context, it will produce bean
homes that are initialized with the first guy's identity (in violation
of the JNDI and EJB 1.1 specifications)! Here's a walkthrough example:
1. Superman (having role superuser) creates a new InitialContext,
passing "superman" and "nokryptonite" as SECURITY_PRINCIPAL and
SECURITY_CREDENTIALS.
2. Thinking that all he's done is authenticate himself against the
JNDI tree and not against the EJB container (i.e. thinking that his
container adheres to both the JNDI and EJB 1.1 specification), he
squirrels the InitialContext away somewhere (for some perverse reason).
3. Lex Luthor (having role nopermission) logs in and snoops around.
4. He finds the InitialContext that Superman created. He asks the
context for a DestroySupermanHome bean home. The context, since it was
badly written, hands him the bean home.
5. He looks up the bean from the bean home.
6. He calls the destroySuperman() method, which requires superuser
permission.
7. The method wipes out our last hope for goodness and light because
the container vendor didn't correctly implement the JNDI and EJB 1.1
specifications, and furthermore encouraged specification violation by
posting bad example code.
Cheers,
Laird
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
