Le 19 oct. 2016 00:03, "exabrial12" <[email protected]> a écrit : > > That's very helpful, so the servlet will not be accessible unless EJBd > security is configured? >
On 1.x it will be but all invocations will fail with the default config. Side note: arquillian managed and maven plugin managed instances switch the config to ensure it works OOTB. > On Tue, Oct 18, 2016 at 4:43 PM, Romain Manni-Bucau [via TomEE & OpenEJB] < > [email protected]> wrote: > > > Hi Jonathan, > > > > I assume you deal with TomEE 1 since this is no more active by default > > since tomee 7.0.0 for that exact reason. Was not an option on TomEE 1 for > > compatibility but since 1.7.3 (and even more 1.7.4) you need to configure > > the security to ensure EJBd calls work so even if active by default > > security should be ok. > > > > See http://tomee.apache.org/ejbd-transport.html and > > http://tomee.apache.org/properties-listing.html (tomee.remote.support). > > > > I'm not sure what is your expected outcome from you mail but feel free to > > propose any enhancement. > > > > > > > > Romain Manni-Bucau > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > <https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog > > <http://rmannibucau.wordpress.com> | Github <https://github.com/ > > rmannibucau> | > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber > > <http://www.tomitribe.com> | JavaEE Factory > > <https://javaeefactory-rmannibucau.rhcloud.com> > > > > 2016-10-18 23:33 GMT+02:00 exabrial12 <[hidden email] > > <http:///user/SendEmail.jtp?type=node&node=4680387&i=0>>: > > > > > Hey guys, > > > > > > Older versions of TomEE had an application in the webapps directory you > > > could remove to not expose your EJBs to the outside world. > > > > > > At some point, a change happened where the webapp is now integrated. > > That's > > > great, but are your EJBs exposed along with your application? Some > > people > > > don't use Java EE security (Spring Security, Apache Shiro, etc) but > > might > > > have an EJB deployed. > > > > > > If the console is secured by default, why aren't your EJBs (that could > > be > > > used to extract data from a database or anything else)? > > > > > > A lot of other application servers run an IIOP port or something, but > > > sysadmins would know to firewall that port off from the outside world. > > > > > > I'm very concerned that an application that was secure in earlier > > versions > > > of TomEE would no longer be secure in newer versions of TomEE. > > > > > > -Jonathan > > > > > > > > > > > > -- > > > View this message in context: http://tomee-openejb.979440. > > > n4.nabble.com/Security-Concern-TomEE-Servlet-tp4680385.html > > > Sent from the TomEE Users mailing list archive at Nabble.com. > > > > > > > > > ------------------------------ > > If you reply to this email, your message will be added to the discussion > > below: > > http://tomee-openejb.979440.n4.nabble.com/Security-Concern-TomEE-Servlet- > > tp4680385p4680387.html > > To unsubscribe from Security Concern TomEE Servlet, click here > > < http://tomee-openejb.979440.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4680385&code=ZXhhYnJpYWxAZ21haWwuY29tfDQ2ODAzODV8NjUwODQwNDM3 > > > . > > NAML > > < http://tomee-openejb.979440.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml > > > > > > > -- > Jonathan | [email protected] > Pessimists, see a jar as half empty. Optimists, in contrast, see it as half > full. > Engineers, of course, understand the glass is twice as big as it needs to > be. > > > > > -- > View this message in context: http://tomee-openejb.979440.n4.nabble.com/Security-Concern-TomEE-Servlet-tp4680385p4680389.html > Sent from the TomEE Users mailing list archive at Nabble.com.
