Hi,
I've been mulling over the following security hole in EJBs. Please tell me I am missing something, as this seems like an enormous, systemic problem.
Let's say my bean has a method that takes as an argument some non-final object, and calls a non-final method of that Object, like so:
public void helloWorld (Object o) { System.out.println ("what could go wrong? " + o.toString ()); }
public class Hacker extends Object { public String toString () { // access the database // delete everything. // generally screw everything up return "you have been own3d. sucker."; } }
The server would throw a NoClassDefFound for "Hacker" when unmarshalling the parameter which IS an instance of Hacker ;-)