Couldn't agree more.
>Oh my God, it's Y2K all over again! Why didn't we think of this?!
>
>Just kidding. Hey, how is Joe Cracker gonna know what the names of my
>JavaBeans' methods are? He's not, unless he can get access to my
>machine and
>deploy a Java application that does some reflection on my
>JavaBeans to get their
>methods. At which point I think we'd all agree, my JavaBeans are
>the least of
>my worries. If he can do that, he can do whatever he wants on my machine.
>
>The huge leap the article excerpt leaves out is how do these
>"small, subversive
>applications" . . . "retrieve sensitive information through these
>JavaBeans data
>access methods" from outside my server? Sure it's possible, but
>far-fetched.
>And if you're a bank using JavaBeans in your JSP app., you're
>hiding behind all
>kinds of firewalls and authentication mechanisms that make the
>security hole in
>your JavaBeans' accessor methods irrelevant.
>
>That's my 2 cents.
>
>Scott Stirling
>
>
>----- Original Message -----
>From: Donald E. Vandenbeld <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Monday, April 17, 2000 6:31 PM
>Subject: Security problems with beans?
>
>
>> I came across an article about JSP on lantimes.com. I think
>it's an older
>> article but it mentions a security problem with beans that I've
>not heard of
>> before. I was wondering if this 'flaw' is indeed present and what can be
>> done to guard against it. I am including a copy of the paragraph in
>> question here:
>>
>> "Since a large percentage of JavaServer Pages applications are
>dependent on
>> the use of JavaBeans components, they can potentially contain security
>> flaws. To be specific, all methods defined within a particular
>JavaBean are
>> accessible to the general public, even if the JSP application itself does
>> not use them all. In other words, anyone with Web development knowledge
>> could write any number of small, subversive applications, which retrieve
>> sensitive information through these JavaBeans data access
>methods. There are
>> ways to prevent such unauthorized use of JavaBeans components, but
>> developers must take the time and effort necessary to implement these
>> security measures. "
>>
>> Full article by E. Shane Turner is at:
>> http://www.lantimes.com/ltparts/reviews/st68.htm
>>
>> Thanks, Donald
>
>===========================================================================
>To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
>JSP-INTEREST".
>Some relevant FAQs on JSP/Servlets can be found at:
>
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.html
> http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
> http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
>
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
