Le 19 oct. 2016 00:03, "exabrial12" <exabr...@gmail.com> a écrit :
>
> That's very helpful, so the servlet will not be accessible unless EJBd
> security is configured?
>

On 1.x it will be but all invocations will fail with the default config.

Side note: arquillian managed and maven plugin managed instances switch the
config to ensure it works OOTB.

> On Tue, Oct 18, 2016 at 4:43 PM, Romain Manni-Bucau [via TomEE & OpenEJB]
<
> ml-node+s979440n4680387...@n4.nabble.com> wrote:
>
> > Hi Jonathan,
> >
> > I assume you deal with TomEE 1 since this is no more active by default
> > since tomee 7.0.0 for that exact reason. Was not an option on TomEE 1
for
> > compatibility but since 1.7.3 (and even more 1.7.4) you need to
configure
> > the security to ensure EJBd calls work so even if active by default
> > security should be ok.
> >
> > See http://tomee.apache.org/ejbd-transport.html and
> > http://tomee.apache.org/properties-listing.html (tomee.remote.support).
> >
> > I'm not sure what is your expected outcome from you mail but feel free
to
> > propose any enhancement.
> >
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > <https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
> > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > <http://www.tomitribe.com> | JavaEE Factory
> > <https://javaeefactory-rmannibucau.rhcloud.com>
> >
> > 2016-10-18 23:33 GMT+02:00 exabrial12 <[hidden email]
> > <http:///user/SendEmail.jtp?type=node&node=4680387&i=0>>:
> >
> > > Hey guys,
> > >
> > > Older versions of TomEE had an application in the webapps directory
you
> > > could remove to not expose your EJBs to the outside world.
> > >
> > > At some point, a change happened where the webapp is now integrated.
> > That's
> > > great, but are your EJBs exposed along with your application? Some
> > people
> > > don't use Java EE security (Spring Security, Apache Shiro, etc) but
> > might
> > > have an EJB deployed.
> > >
> > > If the console is secured by default, why aren't your EJBs (that could
> > be
> > > used to extract data from a database or anything else)?
> > >
> > > A lot of other application servers run an IIOP port or something, but
> > > sysadmins would know to firewall that port off from the outside world.
> > >
> > > I'm very concerned that an application that was secure in earlier
> > versions
> > > of TomEE would no longer be secure in newer versions of TomEE.
> > >
> > > -Jonathan
> > >
> > >
> > >
> > > --
> > > View this message in context: http://tomee-openejb.979440.
> > > n4.nabble.com/Security-Concern-TomEE-Servlet-tp4680385.html
> > > Sent from the TomEE Users mailing list archive at Nabble.com.
> > >
> >
> >
> > ------------------------------
> > If you reply to this email, your message will be added to the discussion
> > below:
> >
http://tomee-openejb.979440.n4.nabble.com/Security-Concern-TomEE-Servlet-
> > tp4680385p4680387.html
> > To unsubscribe from Security Concern TomEE Servlet, click here
> > <
http://tomee-openejb.979440.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4680385&code=ZXhhYnJpYWxAZ21haWwuY29tfDQ2ODAzODV8NjUwODQwNDM3
>
> > .
> > NAML
> > <
http://tomee-openejb.979440.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
>
> >
>
>
>
> --
> Jonathan | exabr...@gmail.com
> Pessimists, see a jar as half empty. Optimists, in contrast, see it as
half
> full.
> Engineers, of course, understand the glass is twice as big as it needs to
> be.
>
>
>
>
> --
> View this message in context:
http://tomee-openejb.979440.n4.nabble.com/Security-Concern-TomEE-Servlet-tp4680385p4680389.html
> Sent from the TomEE Users mailing list archive at Nabble.com.

Reply via email to