[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?

bfagan do-not-reply at jboss.com
Mon Sep 18 10:35:23 EDT 2006

I'm not stating that the data is insecure, but that the model is.

A company's data model can constitute proprietary information or trade secret.

What I'm blatantly saying is that as much as sessions beans require @WebRemote to have their methods exposed under Seam Remoting, entity beans in the same distribution should be afforded the same level of preventative measure.

Instantiating a *new* object tells me plenty about how the database is modeled and in some cases can reveal proprietary information or trade secret.

A developer may wish to prevent various entity beans from having their model exposed.  I'll go a step further and say that entity beans should not have their model exposed by default, but that they should be configured with @WebRemote as well.  It fosters uniformity and errs on the side of security.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3972331#3972331

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3972331

More information about the jboss-user mailing list