Debu talked about EJB security hole
In the post Debu talks about how some customerís complain that OC4J does not support anonymous EJB lookup and execution of EJB methods. Debu says
"In my opinion security is a practice that starts during development and I view this as a big security hole in the applications because you are leaving your EJBs in ?ejb30slsb? Applications to be executed by anyone and I will advise against doing this."
he goes on to say that many people have been doing similar for years with other application servers and that they had been looking at this for years but did not allow it out of the box. He then goes on to show an example of how to do it for those who do not care about security. He finishes with
"THINK twice before you do this!"
This is an interesting post because it shows a good lesson. In general if something is not possible or available out of the box and itís a security risk then do not enable it. There are good reasons not to do so. If the product you are using is internet or Intranet facing then the risks are very high. People do love to have things made easy, including not having to authenticate or go through hoops to use something. If something that is a security risk is disabled then don't enable it!