This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

J2EE Misconfiguration: Weak Access Permissions

From OWASP
Revision as of 18:22, 21 July 2006 by Weilin Zhong (talk | contribs) (Added contents from Fortify.)

Jump to: navigation, search

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

This article includes content generously donated to OWASP by MicroFocus Logo.png

Abstract

Permission to invoke EJB methods should not be granted to the ANYONE role.

Description

If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible.

Examples

The following deployment descriptor grants ANYONE permission to invoke the Employee EJB's method named getSalary(). 

	<ejb-jar>
		...
		<assembly-descriptor>
			<method-permission>
				<role-name>ANYONE</role-name>
				<method>
					<ejb-name>Employee</ejb-name>
					<method-name>getSalary</method-name>
			</method-permission>
		</assembly-descriptor>
		...
	</ejb-jar>

Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures

Category:Access Control

Categories

Retrieved from "https://wiki.owasp.org/index.php?title=J2EE_Misconfiguration:_Weak_Access_Permissions&oldid=7771"