I am presuming that the console talks to the server via RMI. Therefore any
company with half decent security will have a firewall set up to block the
port RMI talks over. Therefore you have to get passed the firewall first.
-----Original Message-----
From: Jeffery, Myles [mailto:[EMAIL PROTECTED]]
Sent: Monday, December 04, 2000 9:51 AM
To: [EMAIL PROTECTED]
Subject: Re: WebLogic console
I wonder how many production WebLogic sites haven't done this :-)
Not many I bet. Just point a WebLogic console at a running server, connect
as an anonymous user, and start to browse the EJB environment settings - I
am sure you could dig up a whole lot of sensitive information from it:
passwords, access control info etc...
> -----Original Message-----
> From: Evan Ireland [SMTP:[EMAIL PROTECTED]]
> Sent: 04 December 2000 08:52
> To: [EMAIL PROTECTED]
> Subject: Re: WebLogic console
>
> anurag mandloi wrote:
> >
> > You can deny access to anonymous and guest users in the
> weblogic.properties
> > file.
>
> I wonder how many production WebLogic sites haven't done this :-)
>
> > See documentation on Security Settings in Properties file.
> > >
> > >Hi,
> > >
> > >I apologise for posting a WebLogic specific question here and not to
> the
> > >newsgroup - but a technical hitch is currently preventing me from
> accessing
> > >the newsgroup. Anyway here is my question:
> > >
> > >I am wondering if WebLogic has a major security flaw: I can protect
> access
> > >to all EJB resources and references in the JNDI service using
> WebLogic's
> > >access control lists perfectly. Only authorized clients I permit can
> > >access
> > >the resources. However, this whole architecture is seemingly blown
> apart
> > >beacuse the WebLogic console allows anonymous users to connect to
> WebLogic
> > >and interrogate every part of the server. For instance - some of my
> EJBs
> > >have sensitive data in their environment properties - but using the
> > >console,
> > >an anonymous user can interrogate the EJB for all its' environment
> > >properties and values. Additionally, all EJB references I protect
> access
> > >to
> > >in the JNDI service can be easily viewed via the console.
> > >
> > >Is it possible to control access to the WebLogic console as I have not
> > >found
> > >any information within the WebLogic documentation. It is very worrying
> if
> > >anonymous users have the abililty to arbitrarily investigate one's
> > >application structure.
> > >
> > >I am using WebLogic 5.1.
> > >
> > >Thanks,
> > >
> > >Myles
> > >
> >
> >=========================================================================
> ==
> > >To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> body
> > >of the message "signoff EJB-INTEREST". For general help, send email to
> > >[EMAIL PROTECTED] and include in the body of the message "help".
> > >
> >
> >
> __________________________________________________________________________
> ___________
> > Get more from the Web. FREE MSN Explorer download :
> http://explorer.msn.com
> >
> >
> ==========================================================================
> =
> > To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> body
> > of the message "signoff EJB-INTEREST". For general help, send email to
> > [EMAIL PROTECTED] and include in the body of the message "help".
>
> --
> __________________________________________________________________________
> ______
>
> Evan Ireland Sybase EAServer Engineering
> [EMAIL PROTECTED]
> Wellington, New Zealand +64 4
> 934-5856
>
> ==========================================================================
> =
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
