That's very helpful, so the servlet will not be accessible unless EJBd
security is configured?

On Tue, Oct 18, 2016 at 4:43 PM, Romain Manni-Bucau [via TomEE & OpenEJB] <
ml-node+s979440n4680387...@n4.nabble.com> wrote:

> Hi Jonathan,
>
> I assume you deal with TomEE 1 since this is no more active by default
> since tomee 7.0.0 for that exact reason. Was not an option on TomEE 1 for
> compatibility but since 1.7.3 (and even more 1.7.4) you need to configure
> the security to ensure EJBd calls work so even if active by default
> security should be ok.
>
> See http://tomee.apache.org/ejbd-transport.html and
> http://tomee.apache.org/properties-listing.html (tomee.remote.support).
>
> I'm not sure what is your expected outcome from you mail but feel free to
> propose any enhancement.
>
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/
> rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com> | JavaEE Factory
> <https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2016-10-18 23:33 GMT+02:00 exabrial12 <[hidden email]
> <http:///user/SendEmail.jtp?type=node&node=4680387&i=0>>:
>
> > Hey guys,
> >
> > Older versions of TomEE had an application in the webapps directory you
> > could remove to not expose your EJBs to the outside world.
> >
> > At some point, a change happened where the webapp is now integrated.
> That's
> > great, but are your EJBs exposed along with your application? Some
> people
> > don't use Java EE security (Spring Security, Apache Shiro, etc) but
> might
> > have an EJB deployed.
> >
> > If the console is secured by default, why aren't your EJBs (that could
> be
> > used to extract data from a database or anything else)?
> >
> > A lot of other application servers run an IIOP port or something, but
> > sysadmins would know to firewall that port off from the outside world.
> >
> > I'm very concerned that an application that was secure in earlier
> versions
> > of TomEE would no longer be secure in newer versions of TomEE.
> >
> > -Jonathan
> >
> >
> >
> > --
> > View this message in context: http://tomee-openejb.979440.
> > n4.nabble.com/Security-Concern-TomEE-Servlet-tp4680385.html
> > Sent from the TomEE Users mailing list archive at Nabble.com.
> >
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
> http://tomee-openejb.979440.n4.nabble.com/Security-Concern-TomEE-Servlet-
> tp4680385p4680387.html
> To unsubscribe from Security Concern TomEE Servlet, click here
> <http://tomee-openejb.979440.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4680385&code=ZXhhYnJpYWxAZ21haWwuY29tfDQ2ODAzODV8NjUwODQwNDM3>
> .
> NAML
> <http://tomee-openejb.979440.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>



-- 
Jonathan | exabr...@gmail.com
Pessimists, see a jar as half empty. Optimists, in contrast, see it as half
full.
Engineers, of course, understand the glass is twice as big as it needs to
be.




--
View this message in context: 
http://tomee-openejb.979440.n4.nabble.com/Security-Concern-TomEE-Servlet-tp4680385p4680389.html
Sent from the TomEE Users mailing list archive at Nabble.com.

Reply via email to