Re: J2EE EJB privacy leak and DOS.

[Rudolf Schreiner <ras () objectsecurity com>]

On Mon, 14 Oct 2002, Sylvia wrote:

> The EJB security model associates roles with users, and controls their 
> access to object methods based on those roles.

Yep.
 
> Where the object is a stateful session object, any user can access it, 
> provided they have the necessary roles. This is true even if the object was 
> created by a different user. This means that information private to one 
> user can be accessed by another. There is also a DOS available because any 
> user can destroy the object.

That's a feature, not a bug. ;-)#

The EJB specification defines simple role based access control, as you
describe. There are no attributes like "owner of an object". The CORBA
security services 1.x have the same problem, just with rights instead of
roles. In both cases the enforcement of real world security policies is
very hard. In many cases you have to implement the policy enforcement in
your application, in contradiction to the declarative concept of EJB
security.

Since we are also not happy with EJB and CORBA Components security we are
currently trying to develop something more useful as part of an IST
research project. 
 
> To access the object, a user's client needs to know the IOR. However, on 
> the implementations I've tested, IORs are allocated in a trivial way that 
> makes it simple to derive new valid IORs from an existing valid one.

An IOR is not supposed to protect an object. That's (pseudo) security by
obscurity. 
The problem is something different: Sometimes IORs contain sensitive
information in the ObjectId. Once I've even seen a credit card number in
an IOR.

Cheers,
Rudi
------------------------------------------------------------------------
Rudolf Schreiner, CTO, ObjectSecurity Ltd.
St John's Innovation Centre, Cowley Rd., Cambridge CB4 0WS
Tel. +44 1223 420252, Fax. +44 1223 420844 
ras () objectsecurity com, www.objectsecurity.com
------------------------------------------------------------------------