[jboss-user] [JBoss Seam] - Glaring Security Hole?
bfagan
do-not-reply at jboss.com
Wed Sep 13 16:29:06 EDT 2006
Please correct me if I'm mistaken, but my impression from the Seam Reference document is that if you enable Seam Remoting then any Entity bean that you've given a Seam @Name has it's data model exposed.
Let's say you have a large corporation and a developer uses a wonderful IDE wizard to turn their database model into a package of easy to use Seam-enabled entities. Next the developer enables Seam Remoting to use an @WebRemote enabled session bean.
Any competitor to said large corporation can search javascript segments for Seam.Component.newInstance() methods, call out to the Seam Remoting URL garner information about the entities and reverse engineer a data model.
It is clear that session beans require @WebRemote annotation. Why are entity beans automatically exposed without such an annotation?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3971389#3971389
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3971389
More information about the jboss-user
mailing list