Difference between revisions of "J2EE Misconfiguration: Unsafe Bean Declaration"

From OWASP
Jump to: navigation, search
(Added contents from Fortify.)
Line 40: Line 40:
 
[[Category:Deployment]]
 
[[Category:Deployment]]
 
[[Category:Java]]
 
[[Category:Java]]
 +
[[Category:Code Snippet]]

Revision as of 13:23, 21 July 2006

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


This article includes content generously donated to OWASP by Fortify.JPG.

Abstract

Entity beans should not be declared remote.

Description

Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely uses remote entity beans, so there is a good chance that a remote entity bean declaration is an error.

Examples

	<ejb-jar>
		<enterprise-beans>
			<entity>
				<ejb-name>EmployeeRecord</ejb-name>
				<home>com.wombat.empl.EmployeeRecordHome</home>
				<remote>com.wombat.empl.EmployeeRecord</remote>
				...
			</entity>
			...
		</enterprise-beans>
	</ejb-jar>


Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures

Categories