This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "J2EE Misconfiguration: Weak Access Permissions"
Weilin Zhong (talk | contribs) |
Weilin Zhong (talk | contribs) (Added contents from Fortify.) |
||
| Line 1: | Line 1: | ||
{{Template:Vulnerability}} | {{Template:Vulnerability}} | ||
| + | {{Template:Fortify}} | ||
| + | |||
| + | ==Abstract== | ||
| + | |||
| + | Permission to invoke EJB methods should not be granted to the ANYONE role. | ||
==Description== | ==Description== | ||
| − | + | If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible. | |
==Examples == | ==Examples == | ||
| − | + | ||
| + | The following deployment descriptor grants ANYONE permission to invoke the Employee EJB's method named getSalary(). | ||
| + | |||
| + | <pre> | ||
| + | <ejb-jar> | ||
| + | ... | ||
| + | <assembly-descriptor> | ||
| + | <method-permission> | ||
| + | <role-name>ANYONE</role-name> | ||
| + | <method> | ||
| + | <ejb-name>Employee</ejb-name> | ||
| + | <method-name>getSalary</method-name> | ||
| + | </method-permission> | ||
| + | </assembly-descriptor> | ||
| + | ... | ||
| + | </ejb-jar> | ||
| + | </pre> | ||
==Related Threats== | ==Related Threats== | ||
| Line 19: | Line 40: | ||
==Categories== | ==Categories== | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
[[Category:Environmental Vulnerability]] | [[Category:Environmental Vulnerability]] | ||
| − | |||
[[Category:Access Control Vulnerability]] | [[Category:Access Control Vulnerability]] | ||
| − | |||
[[Category:Code Permission Vulnerability]] | [[Category:Code Permission Vulnerability]] | ||
| + | [[Category:Implementation]] | ||
| + | [[Category:Deployment]] | ||
| + | [[Category:Java]] | ||
| + | [[Category:Code Snippet]] | ||
Revision as of 18:22, 21 July 2006
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
- This article includes content generously donated to OWASP by
Abstract
Permission to invoke EJB methods should not be granted to the ANYONE role.
Description
If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible.
Examples
The following deployment descriptor grants ANYONE permission to invoke the Employee EJB's method named getSalary().
<ejb-jar> ... <assembly-descriptor> <method-permission> <role-name>ANYONE</role-name> <method> <ejb-name>Employee</ejb-name> <method-name>getSalary</method-name> </method-permission> </assembly-descriptor> ... </ejb-jar>
