Re: WebLogic console

Fri, 01 Dec 2000 15:05:47 -0800 

 You seem to be quite confusing.  Using the console to view
deployed ejbs is different from executing them.  It is true
that using the console allows you to view environment variables,
but only administrator is supposed to have access to the console,
so it's perfectly ok (otherwise they sure can see it from the physical
file).

--- "Jeffery, Myles" <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I apologise for posting a WebLogic specific question here and not to the
> newsgroup - but a technical hitch is currently preventing me from accessing
> the newsgroup.  Anyway here is my question:
>
> I am wondering if WebLogic has a major security flaw: I can protect access
> to all EJB resources and references in the JNDI service using WebLogic's
> access control lists perfectly.  Only authorized clients I permit can access
> the resources.  However, this whole architecture is seemingly blown apart
> beacuse the WebLogic console allows anonymous users to connect to WebLogic
> and interrogate every part of the server.  For instance - some of my EJBs
> have sensitive data in their environment properties - but using the console,
> an anonymous user can interrogate the EJB for all its' environment
> properties and values.  Additionally, all EJB references I protect access to
> in the JNDI service can be easily viewed via the console.
>
> Is it possible to control access to the WebLogic console as I have not found
> any information within the WebLogic documentation.  It is very worrying if
> anonymous users have the abililty to arbitrarily investigate one's
> application structure.
>
> I am using WebLogic 5.1.
>
> Thanks,
>
> Myles
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff EJB-INTEREST".  For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
>


=====
Cuong Q. Tran <[EMAIL PROTECTED]>

__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/

===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST".  For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".

Reply via email to