[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?

[sbryzak2]

I wouldn't go as far as to constrain all entities by default, it would add another "speedbump" that a developer would need to be aware of when implementing remoting in their app.  Section 7.9 in the remoting chapter of the documentation describes how object graphs returned by invoking a session bean can be constrained to exclude sensitive or unnecessary objects.  I've got no problem implementing a similar exclusion for entity classes.  Maybe @NonRemotable, or even @NoWebRemote would be a good annotation for this use case.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3972452#3972452

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3972452