Thanks guys. This is what I thought, but I couldn't believe that a writer
would make such a calous remark like that!
Donald
----- Original Message -----
From: "Kevin Duffey" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, April 17, 2000 9:44 PM
Subject: Re: Security problems with beans?
>
>
> Couldn't agree more.
>
> >Oh my God, it's Y2K all over again! Why didn't we think of this?!
> >
> >Just kidding. Hey, how is Joe Cracker gonna know what the names of my
> >JavaBeans' methods are? He's not, unless he can get access to my
> >machine and
> >deploy a Java application that does some reflection on my
> >JavaBeans to get their
> >methods. At which point I think we'd all agree, my JavaBeans are
> >the least of
> >my worries. If he can do that, he can do whatever he wants on my
machine.
> >
> >The huge leap the article excerpt leaves out is how do these
> >"small, subversive
> >applications" . . . "retrieve sensitive information through these
> >JavaBeans data
> >access methods" from outside my server? Sure it's possible, but
> >far-fetched.
> >And if you're a bank using JavaBeans in your JSP app., you're
> >hiding behind all
> >kinds of firewalls and authentication mechanisms that make the
> >security hole in
> >your JavaBeans' accessor methods irrelevant.
> >
> >That's my 2 cents.
> >
> >Scott Stirling
> >
> >
> >----- Original Message -----
> >From: Donald E. Vandenbeld <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Sent: Monday, April 17, 2000 6:31 PM
> >Subject: Security problems with beans?
> >
> >
> >> I came across an article about JSP on lantimes.com. I think
> >it's an older
> >> article but it mentions a security problem with beans that I've
> >not heard of
> >> before. I was wondering if this 'flaw' is indeed present and what can
be
> >> done to guard against it. I am including a copy of the paragraph in
> >> question here:
> >>
> >> "Since a large percentage of JavaServer Pages applications are
> >dependent on
> >> the use of JavaBeans components, they can potentially contain security
> >> flaws. To be specific, all methods defined within a particular
> >JavaBean are
> >> accessible to the general public, even if the JSP application itself
does
> >> not use them all. In other words, anyone with Web development knowledge
> >> could write any number of small, subversive applications, which
retrieve
> >> sensitive information through these JavaBeans data access
> >methods. There are
> >> ways to prevent such unauthorized use of JavaBeans components, but
> >> developers must take the time and effort necessary to implement these
> >> security measures. "
> >>
> >> Full article by E. Shane Turner is at:
> >> http://www.lantimes.com/ltparts/reviews/st68.htm
> >>
> >> Thanks, Donald
> >
>
>===========================================================================
> >To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> >JSP-INTEREST".
> >Some relevant FAQs on JSP/Servlets can be found at:
> >
> > http://java.sun.com/products/jsp/faq.html
> > http://www.esperanto.org.nz/jsp/jspfaq.html
> > http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
> > http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
> >
>
>
===========================================================================
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
JSP-INTEREST".
> Some relevant FAQs on JSP/Servlets can be found at:
>
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.html
> http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
> http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
>
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
