Security Concern TomEE Servlet

2016-10-18 Thread exabrial12
Hey guys,

Older versions of TomEE had an application in the webapps directory you
could remove to not expose your EJBs to the outside world.

At some point, a change happened where the webapp is now integrated. That's
great, but are your EJBs exposed along with your application? Some people
don't use Java EE security (Spring Security, Apache Shiro, etc) but might
have an EJB deployed. 

If the console is secured by default, why aren't your EJBs (that could be
used to extract data from a database or anything else)?

A lot of other application servers run an IIOP port or something, but
sysadmins would know to firewall that port off from the outside world. 

I'm very concerned that an application that was secure in earlier versions
of TomEE would no longer be secure in newer versions of TomEE.

-Jonathan



--
View this message in context: 
http://tomee-openejb.979440.n4.nabble.com/Security-Concern-TomEE-Servlet-tp4680384.html
Sent from the TomEE Users mailing list archive at Nabble.com.


Re: Security Concern TomEE Servlet

2016-10-18 Thread Romain Manni-Bucau
Le 19 oct. 2016 00:03, "exabrial12" <exabr...@gmail.com> a écrit :
>
> That's very helpful, so the servlet will not be accessible unless EJBd
> security is configured?
>

On 1.x it will be but all invocations will fail with the default config.

Side note: arquillian managed and maven plugin managed instances switch the
config to ensure it works OOTB.

> On Tue, Oct 18, 2016 at 4:43 PM, Romain Manni-Bucau [via TomEE & OpenEJB]
<
> ml-node+s979440n4680387...@n4.nabble.com> wrote:
>
> > Hi Jonathan,
> >
> > I assume you deal with TomEE 1 since this is no more active by default
> > since tomee 7.0.0 for that exact reason. Was not an option on TomEE 1
for
> > compatibility but since 1.7.3 (and even more 1.7.4) you need to
configure
> > the security to ensure EJBd calls work so even if active by default
> > security should be ok.
> >
> > See http://tomee.apache.org/ejbd-transport.html and
> > http://tomee.apache.org/properties-listing.html (tomee.remote.support).
> >
> > I'm not sure what is your expected outcome from you mail but feel free
to
> > propose any enhancement.
> >
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > <https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
> > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > <http://www.tomitribe.com> | JavaEE Factory
> > <https://javaeefactory-rmannibucau.rhcloud.com>
> >
> > 2016-10-18 23:33 GMT+02:00 exabrial12 <[hidden email]
> > <http:///user/SendEmail.jtp?type=node=4680387=0>>:
> >
> > > Hey guys,
> > >
> > > Older versions of TomEE had an application in the webapps directory
you
> > > could remove to not expose your EJBs to the outside world.
> > >
> > > At some point, a change happened where the webapp is now integrated.
> > That's
> > > great, but are your EJBs exposed along with your application? Some
> > people
> > > don't use Java EE security (Spring Security, Apache Shiro, etc) but
> > might
> > > have an EJB deployed.
> > >
> > > If the console is secured by default, why aren't your EJBs (that could
> > be
> > > used to extract data from a database or anything else)?
> > >
> > > A lot of other application servers run an IIOP port or something, but
> > > sysadmins would know to firewall that port off from the outside world.
> > >
> > > I'm very concerned that an application that was secure in earlier
> > versions
> > > of TomEE would no longer be secure in newer versions of TomEE.
> > >
> > > -Jonathan
> > >
> > >
> > >
> > > --
> > > View this message in context: http://tomee-openejb.979440.
> > > n4.nabble.com/Security-Concern-TomEE-Servlet-tp4680385.html
> > > Sent from the TomEE Users mailing list archive at Nabble.com.
> > >
> >
> >
> > --
> > If you reply to this email, your message will be added to the discussion
> > below:
> >
http://tomee-openejb.979440.n4.nabble.com/Security-Concern-TomEE-Servlet-
> > tp4680385p4680387.html
> > To unsubscribe from Security Concern TomEE Servlet, click here
> > <
http://tomee-openejb.979440.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code=4680385=ZXhhYnJpYWxAZ21haWwuY29tfDQ2ODAzODV8NjUwODQwNDM3
>
> > .
> > NAML
> > <
http://tomee-openejb.979440.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer=instant_html%21nabble%3Aemail.naml=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
>
> >
>
>
>
> --
> Jonathan | exabr...@gmail.com
> Pessimists, see a jar as half empty. Optimists, in contrast, see it as
half
> full.
> Engineers, of course, understand the glass is twice as big as it needs to
> be.
>
>
>
>
> --
> View this message in context:
http://tomee-openejb.979440.n4.nabble.com/Security-Concern-TomEE-Servlet-tp4680385p4680389.html
> Sent from the TomEE Users mailing list archive at Nabble.com.


Re: Security Concern TomEE Servlet

2016-10-18 Thread exabrial12
That's very helpful, so the servlet will not be accessible unless EJBd
security is configured?

On Tue, Oct 18, 2016 at 4:43 PM, Romain Manni-Bucau [via TomEE & OpenEJB] <
ml-node+s979440n4680387...@n4.nabble.com> wrote:

> Hi Jonathan,
>
> I assume you deal with TomEE 1 since this is no more active by default
> since tomee 7.0.0 for that exact reason. Was not an option on TomEE 1 for
> compatibility but since 1.7.3 (and even more 1.7.4) you need to configure
> the security to ensure EJBd calls work so even if active by default
> security should be ok.
>
> See http://tomee.apache.org/ejbd-transport.html and
> http://tomee.apache.org/properties-listing.html (tomee.remote.support).
>
> I'm not sure what is your expected outcome from you mail but feel free to
> propose any enhancement.
>
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/
> rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com> | JavaEE Factory
> <https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2016-10-18 23:33 GMT+02:00 exabrial12 <[hidden email]
> <http:///user/SendEmail.jtp?type=node=4680387=0>>:
>
> > Hey guys,
> >
> > Older versions of TomEE had an application in the webapps directory you
> > could remove to not expose your EJBs to the outside world.
> >
> > At some point, a change happened where the webapp is now integrated.
> That's
> > great, but are your EJBs exposed along with your application? Some
> people
> > don't use Java EE security (Spring Security, Apache Shiro, etc) but
> might
> > have an EJB deployed.
> >
> > If the console is secured by default, why aren't your EJBs (that could
> be
> > used to extract data from a database or anything else)?
> >
> > A lot of other application servers run an IIOP port or something, but
> > sysadmins would know to firewall that port off from the outside world.
> >
> > I'm very concerned that an application that was secure in earlier
> versions
> > of TomEE would no longer be secure in newer versions of TomEE.
> >
> > -Jonathan
> >
> >
> >
> > --
> > View this message in context: http://tomee-openejb.979440.
> > n4.nabble.com/Security-Concern-TomEE-Servlet-tp4680385.html
> > Sent from the TomEE Users mailing list archive at Nabble.com.
> >
>
>
> --
> If you reply to this email, your message will be added to the discussion
> below:
> http://tomee-openejb.979440.n4.nabble.com/Security-Concern-TomEE-Servlet-
> tp4680385p4680387.html
> To unsubscribe from Security Concern TomEE Servlet, click here
> <http://tomee-openejb.979440.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code=4680385=ZXhhYnJpYWxAZ21haWwuY29tfDQ2ODAzODV8NjUwODQwNDM3>
> .
> NAML
> <http://tomee-openejb.979440.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer=instant_html%21nabble%3Aemail.naml=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>



-- 
Jonathan | exabr...@gmail.com
Pessimists, see a jar as half empty. Optimists, in contrast, see it as half
full.
Engineers, of course, understand the glass is twice as big as it needs to
be.




--
View this message in context: 
http://tomee-openejb.979440.n4.nabble.com/Security-Concern-TomEE-Servlet-tp4680385p4680389.html
Sent from the TomEE Users mailing list archive at Nabble.com.

Re: Security Concern TomEE Servlet

2016-10-18 Thread Romain Manni-Bucau
Hi Jonathan,

I assume you deal with TomEE 1 since this is no more active by default
since tomee 7.0.0 for that exact reason. Was not an option on TomEE 1 for
compatibility but since 1.7.3 (and even more 1.7.4) you need to configure
the security to ensure EJBd calls work so even if active by default
security should be ok.

See http://tomee.apache.org/ejbd-transport.html and
http://tomee.apache.org/properties-listing.html (tomee.remote.support).

I'm not sure what is your expected outcome from you mail but feel free to
propose any enhancement.



Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2016-10-18 23:33 GMT+02:00 exabrial12 <exabr...@gmail.com>:

> Hey guys,
>
> Older versions of TomEE had an application in the webapps directory you
> could remove to not expose your EJBs to the outside world.
>
> At some point, a change happened where the webapp is now integrated. That's
> great, but are your EJBs exposed along with your application? Some people
> don't use Java EE security (Spring Security, Apache Shiro, etc) but might
> have an EJB deployed.
>
> If the console is secured by default, why aren't your EJBs (that could be
> used to extract data from a database or anything else)?
>
> A lot of other application servers run an IIOP port or something, but
> sysadmins would know to firewall that port off from the outside world.
>
> I'm very concerned that an application that was secure in earlier versions
> of TomEE would no longer be secure in newer versions of TomEE.
>
> -Jonathan
>
>
>
> --
> View this message in context: http://tomee-openejb.979440.
> n4.nabble.com/Security-Concern-TomEE-Servlet-tp4680385.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>


Security Concern TomEE Servlet

2016-10-18 Thread exabrial12
Hey guys, 

Older versions of TomEE had an application in the webapps directory you
could remove to not expose your EJBs to the outside world. 

At some point, a change happened where the webapp is now integrated. That's
great, but are your EJBs exposed along with your application? Some people
don't use Java EE security (Spring Security, Apache Shiro, etc) but might
have an EJB deployed. 

If the console is secured by default, why aren't your EJBs (that could be
used to extract data from a database or anything else)? 

A lot of other application servers run an IIOP port or something, but
sysadmins would know to firewall that port off from the outside world. 

I'm very concerned that an application that was secure in earlier versions
of TomEE would no longer be secure in newer versions of TomEE. 

-Jonathan



--
View this message in context: 
http://tomee-openejb.979440.n4.nabble.com/Security-Concern-TomEE-Servlet-tp4680385.html
Sent from the TomEE Users mailing list archive at Nabble.com.