anurag mandloi wrote:
>
> You can deny access to anonymous and guest users in the weblogic.properties
> file.
I wonder how many production WebLogic sites haven't done this :-)
> See documentation on Security Settings in Properties file.
> >
> >Hi,
> >
> >I apologise for posting a WebLogic specific question here and not to the
> >newsgroup - but a technical hitch is currently preventing me from accessing
> >the newsgroup. Anyway here is my question:
> >
> >I am wondering if WebLogic has a major security flaw: I can protect access
> >to all EJB resources and references in the JNDI service using WebLogic's
> >access control lists perfectly. Only authorized clients I permit can
> >access
> >the resources. However, this whole architecture is seemingly blown apart
> >beacuse the WebLogic console allows anonymous users to connect to WebLogic
> >and interrogate every part of the server. For instance - some of my EJBs
> >have sensitive data in their environment properties - but using the
> >console,
> >an anonymous user can interrogate the EJB for all its' environment
> >properties and values. Additionally, all EJB references I protect access
> >to
> >in the JNDI service can be easily viewed via the console.
> >
> >Is it possible to control access to the WebLogic console as I have not
> >found
> >any information within the WebLogic documentation. It is very worrying if
> >anonymous users have the abililty to arbitrarily investigate one's
> >application structure.
> >
> >I am using WebLogic 5.1.
> >
> >Thanks,
> >
> >Myles
> >
> >===========================================================================
> >To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> >of the message "signoff EJB-INTEREST". For general help, send email to
> >[EMAIL PROTECTED] and include in the body of the message "help".
> >
>
> _____________________________________________________________________________________
> Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
--
________________________________________________________________________________
Evan Ireland Sybase EAServer Engineering [EMAIL PROTECTED]
Wellington, New Zealand +64 4 934-5856
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
