Pete Finnigan's Oracle Security Weblog

I made a note about Debu Panda's post "Anonymous EJB Lookup - leaving a security hole in your applications" in his web log a couple of months ago in my bookmarks file and have finally got around to looking at it. I keep a huge list of interesting things I find and papers to read etc in a file and work through them when I get chance but I tend to surf in my spare time for new items so some tend to end up way down the list like this one. I kept it on the list though, rather than marking it as read as it talked in the title about a security hole. Phrases like this always keep me interested, eventually.

In the post Debu talks about how some customer’s complain that OC4J does not support anonymous EJB lookup and execution of EJB methods. Debu says

"In my opinion security is a practice that starts during development and I view this as a big security hole in the applications because you are leaving your EJBs in ?ejb30slsb? Applications to be executed by anyone and I will advise against doing this."

he goes on to say that many people have been doing similar for years with other application servers and that they had been looking at this for years but did not allow it out of the box. He then goes on to show an example of how to do it for those who do not care about security. He finishes with

"THINK twice before you do this!"

This is an interesting post because it shows a good lesson. In general if something is not possible or available out of the box and it’s a security risk then do not enable it. There are good reasons not to do so. If the product you are using is internet or Intranet facing then the risks are very high. People do love to have things made easy, including not having to authenticate or go through hoops to use something. If something that is a security risk is disabled then don't enable it!