J2EE Misconfiguration: Unsafe Bean Declaration

From OWASP
Revision as of 13:18, 21 July 2006 by Weilin Zhong (Talk | contribs)

Jump to: navigation, search

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


This article includes content generously donated to OWASP by Fortify.JPG.

Abstract

Entity beans should not be declared remote.

Description

Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely uses remote entity beans, so there is a good chance that a remote entity bean declaration is an error.

Examples

	<ejb-jar>
		<enterprise-beans>
			<entity>
				<ejb-name>EmployeeRecord</ejb-name>
				<home>com.wombat.empl.EmployeeRecordHome</home>
				<remote>com.wombat.empl.EmployeeRecord</remote>
				...
			</entity>
			...
		</enterprise-beans>
	</ejb-jar>


Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures

Categories