This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

J2EE Misconfiguration: Weak Access Permissions

From OWASP

Revision as of 12:11, 26 May 2009 by Deleted user (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

[http://s1.shard.jp/losaul/this-day-in-australian.html australian name puppy shepherd ] sitemap blank map of asia africa europe [http://s1.shard.jp/olharder/kragen-auto.html auto restorer mag ] [http://s1.shard.jp/bireba/notron-antivirus.html clam antivirus for linux ] [http://s1.shard.jp/bireba/kaspersky-antivirus.html avg antivirus key generator ] [http://s1.shard.jp/galeach/ hariprasad chourasia ] [http://s1.shard.jp/bireba/windows-xp-antivirus.html etrust antivirus free downloads ] [http://s1.shard.jp/frhorton/wntjtqor2.html cape verde africa property ] [http://s1.shard.jp/galeach/new71.html christian beliefs on euthanasia ] [http://s1.shard.jp/bireba/computer-antivirus.html antivirus software for server 2003 ] [http://s1.shard.jp/olharder/gxautos.html automotive coolant types ] download free norton antivirus trial [http://s1.shard.jp/olharder/canadian-auto.html autosurf forums ] [http://s1.shard.jp/losaul/scoutsaustralia.html surf shirts australia ] [http://s1.shard.jp/losaul/cheap-air-fare-to.html police credit union australia ] autopilots for sale hip hop in africa property for sale in perth australia [http://s1.shard.jp/losaul/australia-immigration.html gridiron australia ] [http://s1.shard.jp/bireba/panda-software.html before symantec antivirus could be completely installed ] [http://s1.shard.jp/losaul/australia-stables.html virgin blue australia home ] [http://s1.shard.jp/galeach/new109.html attractive asians ] [http://s1.shard.jp/bireba/antivirus-firewall.html avg free antivirus download ] [http://s1.shard.jp/bireba/macintosh-antivirus.html antivirusdisable notify ] [http://s1.shard.jp/losaul/planting-guide.html alcoholism australia ] [http://s1.shard.jp/frhorton/928f3x2wr.html african country founded by former american slaves ] [http://s1.shard.jp/frhorton/eustnj89y.html african braid picture ] australian hotel rocks [http://s1.shard.jp/frhorton/1oj3zcvfn.html actuarial society of south africa ] [http://s1.shard.jp/losaul/australia-food-product.html irish consulate sydney australia ] [http://s1.shard.jp/galeach/new24.html eaton vance asian small companies ] used car price australia [http://s1.shard.jp/galeach/new137.html asian call centers ] alberta auto rv trader [http://s1.shard.jp/losaul/australia-telescope.html autolive australia ] [http://s1.shard.jp/olharder/auto-copart-sale.html in house financing auto ] [http://s1.shard.jp/galeach/new64.html enamel hypoplasia bell stage ] [http://s1.shard.jp/frhorton/hpi2k8yhb.html african rain forest information ] [http://s1.shard.jp/frhorton/mz6vv73zx.html african inspired wedding gowns ] [http://s1.shard.jp/losaul/travel-shows-in.html outboard motors australia ] url [http://s1.shard.jp/bireba/review-antivirus.html norton antivirus download free trial ] [http://s1.shard.jp/losaul/stihl-australia.html australia serzone ] [http://s1.shard.jp/bireba/dod-cert-antivirus.html os x antivirus free ] [http://s1.shard.jp/losaul/ australian teen magazines ] http://www.textgetboc.com Template:CandidateForDeletion

#REDIRECT Least Privilege Violation

Last revision (mm/dd/yy): 05/26/2009

Description

Permission to invoke EJB methods should not be granted to the ANYONE role.

If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible.

Risk Factors

Talk about the factors that make this vulnerability likely or unlikely to actually happen
Discuss the technical impact of a successful exploit of this vulnerability
Consider the likely [business impacts] of a successful attack

Examples

The following deployment descriptor grants ANYONE permission to invoke the Employee EJB's method named getSalary().

	<ejb-jar>
		...
		<assembly-descriptor>
			<method-permission>
				<role-name>ANYONE</role-name>
				<method>
					<ejb-name>Employee</ejb-name>
					<method-name>getSalary</method-name>
			</method-permission>
		</assembly-descriptor>
		...
	</ejb-jar>

Related Attacks

Related Vulnerabilities

Related Controls

Category:Access Control

Related Technical Impacts

References

TBD

Retrieved from "https://wiki.owasp.org/index.php?title=J2EE_Misconfiguration:_Weak_Access_Permissions&oldid=61959"