Older versions of TomEE had an application in the webapps directory you
could remove to not expose your EJBs to the outside world.
At some point, a change happened where the webapp is now integrated. That's
great, but are your EJBs exposed along with your application? Some people
don't use Java EE security (Spring Security, Apache Shiro, etc) but might
have an EJB deployed.
If the console is secured by default, why aren't your EJBs (that could be
used to extract data from a database or anything else)?
A lot of other application servers run an IIOP port or something, but
sysadmins would know to firewall that port off from the outside world.
I'm very concerned that an application that was secure in earlier versions
of TomEE would no longer be secure in newer versions of TomEE.
View this message in context:
Sent from the TomEE Users mailing list archive at Nabble.com.