That's very helpful, so the servlet will not be accessible unless EJBd security is configured?
On Tue, Oct 18, 2016 at 4:43 PM, Romain Manni-Bucau [via TomEE & OpenEJB] < [email protected]> wrote: > Hi Jonathan, > > I assume you deal with TomEE 1 since this is no more active by default > since tomee 7.0.0 for that exact reason. Was not an option on TomEE 1 for > compatibility but since 1.7.3 (and even more 1.7.4) you need to configure > the security to ensure EJBd calls work so even if active by default > security should be ok. > > See http://tomee.apache.org/ejbd-transport.html and > http://tomee.apache.org/properties-listing.html (tomee.remote.support). > > I'm not sure what is your expected outcome from you mail but feel free to > propose any enhancement. > > > > Romain Manni-Bucau > @rmannibucau <https://twitter.com/rmannibucau> | Blog > <https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog > <http://rmannibucau.wordpress.com> | Github <https://github.com/ > rmannibucau> | > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber > <http://www.tomitribe.com> | JavaEE Factory > <https://javaeefactory-rmannibucau.rhcloud.com> > > 2016-10-18 23:33 GMT+02:00 exabrial12 <[hidden email] > <http:///user/SendEmail.jtp?type=node&node=4680387&i=0>>: > > > Hey guys, > > > > Older versions of TomEE had an application in the webapps directory you > > could remove to not expose your EJBs to the outside world. > > > > At some point, a change happened where the webapp is now integrated. > That's > > great, but are your EJBs exposed along with your application? Some > people > > don't use Java EE security (Spring Security, Apache Shiro, etc) but > might > > have an EJB deployed. > > > > If the console is secured by default, why aren't your EJBs (that could > be > > used to extract data from a database or anything else)? > > > > A lot of other application servers run an IIOP port or something, but > > sysadmins would know to firewall that port off from the outside world. > > > > I'm very concerned that an application that was secure in earlier > versions > > of TomEE would no longer be secure in newer versions of TomEE. > > > > -Jonathan > > > > > > > > -- > > View this message in context: http://tomee-openejb.979440. > > n4.nabble.com/Security-Concern-TomEE-Servlet-tp4680385.html > > Sent from the TomEE Users mailing list archive at Nabble.com. > > > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > http://tomee-openejb.979440.n4.nabble.com/Security-Concern-TomEE-Servlet- > tp4680385p4680387.html > To unsubscribe from Security Concern TomEE Servlet, click here > <http://tomee-openejb.979440.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4680385&code=ZXhhYnJpYWxAZ21haWwuY29tfDQ2ODAzODV8NjUwODQwNDM3> > . > NAML > <http://tomee-openejb.979440.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > -- Jonathan | [email protected] Pessimists, see a jar as half empty. Optimists, in contrast, see it as half full. Engineers, of course, understand the glass is twice as big as it needs to be. -- View this message in context: http://tomee-openejb.979440.n4.nabble.com/Security-Concern-TomEE-Servlet-tp4680385p4680389.html Sent from the TomEE Users mailing list archive at Nabble.com.
