[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?
gavin.king@jboss.com
do-not-reply at jboss.com
Thu Sep 14 04:45:42 EDT 2006
"bfagan" wrote : Please correct me if I'm mistaken, but my impression from the Seam Reference document is that if you enable Seam Remoting then any Entity bean that you've given a Seam @Name has it's data model exposed.
|
| Let's say you have a large corporation and a developer uses a wonderful IDE wizard to turn their database model into a package of easy to use Seam-enabled entities. Next the developer enables Seam Remoting to use an @WebRemote enabled session bean.
|
| Any competitor to said large corporation can search javascript segments for Seam.Component.newInstance() methods, call out to the Seam Remoting URL garner information about the entities and reverse engineer a data model.
|
| It is clear that session beans require @WebRemote annotation. Why are entity beans automatically exposed without such an annotation?
They are only exposed if they are the return value of a method marked @Remote. And only their state is exposed, not their methods.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3971497#3971497
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3971497
More information about the jboss-user
mailing list