tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Romain Manni-Bucau <>
Subject Re: Security Concern TomEE Servlet
Date Tue, 18 Oct 2016 21:50:26 GMT
Hi Jonathan,

I assume you deal with TomEE 1 since this is no more active by default
since tomee 7.0.0 for that exact reason. Was not an option on TomEE 1 for
compatibility but since 1.7.3 (and even more 1.7.4) you need to configure
the security to ensure EJBd calls work so even if active by default
security should be ok.

See and (

I'm not sure what is your expected outcome from you mail but feel free to
propose any enhancement.

Romain Manni-Bucau
@rmannibucau <> |  Blog
<> | Old Wordpress Blog
<> | Github <> |
LinkedIn <> | Tomitriber
<> | JavaEE Factory

2016-10-18 23:33 GMT+02:00 exabrial12 <>:

> Hey guys,
> Older versions of TomEE had an application in the webapps directory you
> could remove to not expose your EJBs to the outside world.
> At some point, a change happened where the webapp is now integrated. That's
> great, but are your EJBs exposed along with your application? Some people
> don't use Java EE security (Spring Security, Apache Shiro, etc) but might
> have an EJB deployed.
> If the console is secured by default, why aren't your EJBs (that could be
> used to extract data from a database or anything else)?
> A lot of other application servers run an IIOP port or something, but
> sysadmins would know to firewall that port off from the outside world.
> I'm very concerned that an application that was secure in earlier versions
> of TomEE would no longer be secure in newer versions of TomEE.
> -Jonathan
> --
> View this message in context: http://tomee-openejb.979440.
> Sent from the TomEE Users mailing list archive at

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message