Re: Security problems with beans?

Scott Stirling Mon, 17 Apr 2000 18:33:40 -0700
Oh my God, it's Y2K all over again!  Why didn't we think of this?!

Just kidding.  Hey, how is Joe Cracker gonna know what the names of my
JavaBeans' methods are?  He's not, unless he can get access to my machine and
deploy a Java application that does some reflection on my JavaBeans to get their
methods.  At which point I think we'd all agree, my JavaBeans are the least of
my worries.  If he can do that, he can do whatever he wants on my machine.

The huge leap the article excerpt leaves out is how do these "small, subversive
applications" . . . "retrieve sensitive information through these JavaBeans data
access methods" from outside my server?  Sure it's possible, but far-fetched.
And if you're a bank using JavaBeans in your JSP app., you're hiding behind all
kinds of firewalls and authentication mechanisms that make the security hole in
your JavaBeans' accessor methods irrelevant.

That's my 2 cents.

Scott Stirling


----- Original Message -----
From: Donald E. Vandenbeld <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, April 17, 2000 6:31 PM
Subject: Security problems with beans?


> I came across an article about JSP on lantimes.com.  I think it's an older
> article but it mentions a security problem with beans that I've not heard of
> before. I was wondering if this 'flaw' is indeed present and what can be
> done to guard against it.  I am including a copy of the paragraph in
> question here:
>
> "Since a large percentage of JavaServer Pages applications are dependent on
> the use of JavaBeans components, they can potentially contain security
> flaws. To be specific, all methods defined within a particular JavaBean are
> accessible to the general public, even if the JSP application itself does
> not use them all. In other words, anyone with Web development knowledge
> could write any number of small, subversive applications, which retrieve
> sensitive information through these JavaBeans data access methods. There are
> ways to prevent such unauthorized use of JavaBeans components, but
> developers must take the time and effort necessary to implement these
> security measures. "
>
> Full article by E. Shane Turner is at:
> http://www.lantimes.com/ltparts/reviews/st68.htm
>
> Thanks, Donald

===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:

 http://java.sun.com/products/jsp/faq.html
 http://www.esperanto.org.nz/jsp/jspfaq.html
 http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
 http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
Re: Security problems with beans?

Reply via email to
