That's very helpful, so the servlet will not be accessible unless EJBd
security is configured?
On Tue, Oct 18, 2016 at 4:43 PM, Romain Manni-Bucau [via TomEE & OpenEJB] <
> Hi Jonathan,
> I assume you deal with TomEE 1 since this is no more active by default
> since tomee 7.0.0 for that exact reason. Was not an option on TomEE 1 for
> compatibility but since 1.7.3 (and even more 1.7.4) you need to configure
> the security to ensure EJBd calls work so even if active by default
> security should be ok.
> See http://tomee.apache.org/ejbd-transport.html and
> http://tomee.apache.org/properties-listing.html (tomee.remote.support).
> I'm not sure what is your expected outcome from you mail but feel free to
> propose any enhancement.
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/
> rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com> | JavaEE Factory
> 2016-10-18 23:33 GMT+02:00 exabrial12 <[hidden email]
> > Hey guys,
> > Older versions of TomEE had an application in the webapps directory you
> > could remove to not expose your EJBs to the outside world.
> > At some point, a change happened where the webapp is now integrated.
> > great, but are your EJBs exposed along with your application? Some
> > don't use Java EE security (Spring Security, Apache Shiro, etc) but
> > have an EJB deployed.
> > If the console is secured by default, why aren't your EJBs (that could
> > used to extract data from a database or anything else)?
> > A lot of other application servers run an IIOP port or something, but
> > sysadmins would know to firewall that port off from the outside world.
> > I'm very concerned that an application that was secure in earlier
> > of TomEE would no longer be secure in newer versions of TomEE.
> > -Jonathan
> > --
> > View this message in context: http://tomee-openejb.979440.
> > n4.nabble.com/Security-Concern-TomEE-Servlet-tp4680385.html
> > Sent from the TomEE Users mailing list archive at Nabble.com.
> If you reply to this email, your message will be added to the discussion
> To unsubscribe from Security Concern TomEE Servlet, click here
Jonathan | exabr...@gmail.com
Pessimists, see a jar as half empty. Optimists, in contrast, see it as half
Engineers, of course, understand the glass is twice as big as it needs to
View this message in context:
Sent from the TomEE Users mailing list archive at Nabble.com.