1 Reply Latest reply on Dec 3, 2004 8:41 AM by Bernd Zeitler

    General EJB security question

    Eric Newbie

      Hi,

      I've been mulling over the following security hole in EJBs. Please tell me I am missing something, as this seems like an enormous, systemic problem.

      Let's say my bean has a method that takes as an argument some non-final object, and calls a non-final method of that Object, like so:

      public void helloWorld (Object o)
      {
       System.out.println ("what could go wrong? " + o.toString ());
      }



      Totally harmless, right? But wait, can't any hacker call helloWorld and pass in his own, hacked subclass of Object, like:

      public class Hacker extends Object
      {
       public String toString ()
       {
       // access the database
       // delete everything.
       // generally screw everything up
       return "you have been own3d. sucker.";
       }
      }


      It seems to me that every EJB installation in the world that allows access to untrusted clients must be vulnerable to this attack, unless they have taken the highly unlikely step of making all their objects and methods final. What am I missing?


      Thanks,
      Eric