I don't think that is the case. As of the last version
I worked with, I thought it used T3 which uses HTTP as
the transport protocol.
However, all the installations I ever used or
installed had anonymous access disabled by default.
//Nicholas
--- Peter Delahunty
<[EMAIL PROTECTED]> wrote:
> I am presuming that the console talks to the server
> via RMI. Therefore any
> company with half decent security will have a
> firewall set up to block the
> port RMI talks over. Therefore you have to get
> passed the firewall first.
>
> -----Original Message-----
> From: Jeffery, Myles [mailto:[EMAIL PROTECTED]]
> Sent: Monday, December 04, 2000 9:51 AM
> To: [EMAIL PROTECTED]
> Subject: Re: WebLogic console
>
>
> I wonder how many production WebLogic sites
> haven't done this :-)
>
> Not many I bet. Just point a WebLogic console at a
> running server, connect
> as an anonymous user, and start to browse the EJB
> environment settings - I
> am sure you could dig up a whole lot of sensitive
> information from it:
> passwords, access control info etc...
>
>
>
> > -----Original Message-----
> > From: Evan Ireland [SMTP:[EMAIL PROTECTED]]
> > Sent: 04 December 2000 08:52
> > To: [EMAIL PROTECTED]
> > Subject: Re: WebLogic console
> >
> > anurag mandloi wrote:
> > >
> > > You can deny access to anonymous and guest users
> in the
> > weblogic.properties
> > > file.
> >
> > I wonder how many production WebLogic sites
> haven't done this :-)
> >
> > > See documentation on Security Settings in
> Properties file.
> > > >
> > > >Hi,
> > > >
> > > >I apologise for posting a WebLogic specific
> question here and not to
> > the
> > > >newsgroup - but a technical hitch is currently
> preventing me from
> > accessing
> > > >the newsgroup. Anyway here is my question:
> > > >
> > > >I am wondering if WebLogic has a major security
> flaw: I can protect
> > access
> > > >to all EJB resources and references in the JNDI
> service using
> > WebLogic's
> > > >access control lists perfectly. Only
> authorized clients I permit can
> > > >access
> > > >the resources. However, this whole
> architecture is seemingly blown
> > apart
> > > >beacuse the WebLogic console allows anonymous
> users to connect to
> > WebLogic
> > > >and interrogate every part of the server. For
> instance - some of my
> > EJBs
> > > >have sensitive data in their environment
> properties - but using the
> > > >console,
> > > >an anonymous user can interrogate the EJB for
> all its' environment
> > > >properties and values. Additionally, all EJB
> references I protect
> > access
> > > >to
> > > >in the JNDI service can be easily viewed via
> the console.
> > > >
> > > >Is it possible to control access to the
> WebLogic console as I have not
> > > >found
> > > >any information within the WebLogic
> documentation. It is very worrying
> > if
> > > >anonymous users have the abililty to
> arbitrarily investigate one's
> > > >application structure.
> > > >
> > > >I am using WebLogic 5.1.
> > > >
> > > >Thanks,
> > > >
> > > >Myles
> > > >
> > >
> >
>
>=========================================================================
> > ==
> > > >To unsubscribe, send email to
> [EMAIL PROTECTED] and include in the
> > body
> > > >of the message "signoff EJB-INTEREST". For
> general help, send email to
> > > >[EMAIL PROTECTED] and include in the body
> of the message "help".
> > > >
> > >
> > >
> >
>
__________________________________________________________________________
> > ___________
> > > Get more from the Web. FREE MSN Explorer
> download :
> > http://explorer.msn.com
> > >
> > >
> >
>
==========================================================================
> > =
> > > To unsubscribe, send email to
> [EMAIL PROTECTED] and include in the
> > body
> > > of the message "signoff EJB-INTEREST". For
> general help, send email to
> > > [EMAIL PROTECTED] and include in the body of
> the message "help".
> >
> > --
> >
>
__________________________________________________________________________
> > ______
> >
> > Evan Ireland Sybase EAServer
> Engineering
> > [EMAIL PROTECTED]
> > Wellington, New
> Zealand +64 4
> > 934-5856
> >
> >
>
==========================================================================
> > =
> > To unsubscribe, send email to
> [EMAIL PROTECTED] and include in the
> > body
> > of the message "signoff EJB-INTEREST". For
> general help, send email to
> > [EMAIL PROTECTED] and include in the body of
> the message "help".
>
>
===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED]
> and include in the body
> of the message "signoff EJB-INTEREST". For general
> help, send email to
> [EMAIL PROTECTED] and include in the body of the
> message "help".
>
>
===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED]
> and include in the body
> of the message "signoff EJB-INTEREST". For general
> help, send email to
> [EMAIL PROTECTED] and include in the body of the
> message "help".
>
=====
Nicholas Whitehead
Home: (973) 377 9335
Cell: (973) 615 9646
[EMAIL PROTECTED]
__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
