[jboss-user] [JBoss Seam] - Re: Glaring Security Hole?
do-not-reply at jboss.com
Mon Sep 18 10:35:23 EDT 2006
I'm not stating that the data is insecure, but that the model is.
A company's data model can constitute proprietary information or trade secret.
What I'm blatantly saying is that as much as sessions beans require @WebRemote to have their methods exposed under Seam Remoting, entity beans in the same distribution should be afforded the same level of preventative measure.
Instantiating a *new* object tells me plenty about how the database is modeled and in some cases can reveal proprietary information or trade secret.
A developer may wish to prevent various entity beans from having their model exposed. I'll go a step further and say that entity beans should not have their model exposed by default, but that they should be configured with @WebRemote as well. It fosters uniformity and errs on the side of security.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3972331#3972331
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3972331
More information about the jboss-user