On Mon, 14 Oct 2002, Sylvia wrote: > The EJB security model associates roles with users, and controls their > access to object methods based on those roles. Yep. > Where the object is a stateful session object, any user can access it, > provided they have the necessary roles. This is true even if the object was > created by a different user. This means that information private to one > user can be accessed by another. There is also a DOS available because any > user can destroy the object. That's a feature, not a bug. ;-)# The EJB specification defines simple role based access control, as you describe. There are no attributes like "owner of an object". The CORBA security services 1.x have the same problem, just with rights instead of roles. In both cases the enforcement of real world security policies is very hard. In many cases you have to implement the policy enforcement in your application, in contradiction to the declarative concept of EJB security. Since we are also not happy with EJB and CORBA Components security we are currently trying to develop something more useful as part of an IST research project. > To access the object, a user's client needs to know the IOR. However, on > the implementations I've tested, IORs are allocated in a trivial way that > makes it simple to derive new valid IORs from an existing valid one. An IOR is not supposed to protect an object. That's (pseudo) security by obscurity. The problem is something different: Sometimes IORs contain sensitive information in the ObjectId. Once I've even seen a credit card number in an IOR. Cheers, Rudi ------------------------------------------------------------------------ Rudolf Schreiner, CTO, ObjectSecurity Ltd. St John's Innovation Centre, Cowley Rd., Cambridge CB4 0WS Tel. +44 1223 420252, Fax. +44 1223 420844 ras@objectsecurity.com, www.objectsecurity.com ------------------------------------------------------------------------
