You can deny access to anonymous and guest users in the weblogic.properties
file.
See documentation on Security Settings in Properties file.
>
>Hi,
>
>I apologise for posting a WebLogic specific question here and not to the
>newsgroup - but a technical hitch is currently preventing me from accessing
>the newsgroup. Anyway here is my question:
>
>I am wondering if WebLogic has a major security flaw: I can protect access
>to all EJB resources and references in the JNDI service using WebLogic's
>access control lists perfectly. Only authorized clients I permit can
>access
>the resources. However, this whole architecture is seemingly blown apart
>beacuse the WebLogic console allows anonymous users to connect to WebLogic
>and interrogate every part of the server. For instance - some of my EJBs
>have sensitive data in their environment properties - but using the
>console,
>an anonymous user can interrogate the EJB for all its' environment
>properties and values. Additionally, all EJB references I protect access
>to
>in the JNDI service can be easily viewed via the console.
>
>Is it possible to control access to the WebLogic console as I have not
>found
>any information within the WebLogic documentation. It is very worrying if
>anonymous users have the abililty to arbitrarily investigate one's
>application structure.
>
>I am using WebLogic 5.1.
>
>Thanks,
>
>Myles
>
>===========================================================================
>To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
>of the message "signoff EJB-INTEREST". For general help, send email to
>[EMAIL PROTECTED] and include in the body of the message "help".
>
_____________________________________________________________________________________
Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
