• Post Reply Bookmark Topic Watch Topic
  • New Topic

Securing JNDI Lookup  RSS feed

 
bharat kumar
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have 5 web applications running on same server. One of the applications is using EJBs. Is there anyway for me to restrict other applications in the same server to restrict the access to the EJBs. i.e The lookup should fail or Even though it succeeds lookup it should fail while creating the home interface etc.

Thanks,
Bharat.
 
Valentin Tanase
Ranch Hand
Posts: 704
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi bharat,

There are couple of approaches that might work with your application, using implicit securities:
  • Use JNDI authentication
  • Use standard J2EE security


  • The first one is not recommended in a production environment. The main reason is that the clients are authenticated in order to lookup the bean�s home interface. This however doesn�t really protect the bean if the client gets a reference to the bean�s remote interface. Only the second one provides real security capabilities and is always recommended in a production environment. It is also little bit more complex and could require serious changes in your client applications, if you use the fat client model (like RMI clients calling ejbs from outside of the container).
    Having said that, you might consider going with 1. All you have to do is to protect your JNDI from unauthorized access. You might need to use the administration tools that come with your container in order to do this. Weblogic for example defines three standard jndi operations: lookup, modify and list. Also by default Weblogic allows to the everyone group to fully access all these operations. Therefore by default there is no jndi protection. As you might see this is not a good practice in production: clients can still lookup MBeans for example and get server home interface and view valuable sever configuration parameters. Second you need to update your client to use the right credentials in order to lookup the bean into the jndi tree:

    Regards.
     
    • Post Reply Bookmark Topic Watch Topic
    • New Topic
    Boost this thread!