-
1. Re: security issues in multi-homed environment
starksm64 Oct 18, 2001 12:19 AM (in response to kunertr)This is a multi-user environment, not multi-homed. To answer these questions you have to describe who has access to the server the JBoss server will run on.
-
2. Re: security issues in multi-homed environment
jwkaltz Oct 18, 2001 3:33 AM (in response to kunertr)> 1.) how do I prevent c1 from 'overdeploying' c2.ear
> with his own maliciously made c2.ear
With the Tomcat war's you can do this by setting up the apps-.xml to point to a place where only the owner of that application has write access. But for the deployed beans (and for the combined stuff ear) I don't know - you can of course write some custom mechanism to handle this: for example application deployers deposit their stuff in some common directory, you have some cron job who looks in this directory, checks the user/ear name mapping (they must have been previously registered) and if its ok copies them into the actual deployment area.
> 3.) how can I easily prevent c1 from using code
> (JSP,servlet classes or EJB-components that c2 has
> deployed)
Well c1 could make calls say to EJBs that c2 has deployed but that's the point of deploying components, other applications must be able to call them, right ? If they live in a security context calls will only be possible with valid credentials, so I'm not sure there is a security concern here.