Secure That Session Bean!

Using Ethereal, a sniffer I used in NetBeans IDE, Sniffers, and the Deviant Computer User, I 'sniffed' (i.e., 'preemptively hacked') the application described in the Building Secure Enterprise Beans in NetBeans IDE tutorial. This is the data stream that Ethereal intercepted between the session bean and web application (click to enlarge):

When I decoded the garbled authorization string (as described in step 6 here), the IDE's Output window displayed the username and password that the server requires in order for the web application to access the session bean:

The point is this: HTTP Basic Authentication is useful for illustrative purposes only. To really secure an application, a far more robust security strategy should be adopted -- and that strategy is Secure Socket Layer (SSL). SSL provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. It includes support for a public key certificate, which is the digital equivalent of a passport. It is issued by a trusted organization, which is called a certificate authority (CA), and provides identification for the bearer. For details, read the Understanding Login Authentication section in the J2EE Tutorial.


Ouch! I go through the trouble of building an Ultra-Secure EJB and Geertjan cracks it in no time! We'll have to settle this like men! On the bowling lanes. :-) Yup, the example was a very simplistic one just to show where in the DDs you configure this. I'd better put a warning in so no one tries to secure their EJBs like this.

Posted by john.c on July 26, 2005 at 08:12 PM PDT #

If you throw in a few beers, I'll happily destroy you on any bowling lane of your choice.

Posted by Geertjan on July 26, 2005 at 08:31 PM PDT #


Posted by panchal on January 18, 2006 at 01:41 PM PST #

Post a Comment:
  • HTML Syntax: NOT allowed

Geertjan Wielenga (@geertjanw) is a Principal Product Manager in the Oracle Developer Tools group living & working in Amsterdam. He is a Java technology enthusiast, evangelist, trainer, speaker, and writer. He blogs here daily.

The focus of this blog is mostly on NetBeans (a development tool primarily for Java programmers), with an occasional reference to NetBeans, and sometimes diverging to topics relating to NetBeans. And then there are days when NetBeans is mentioned, just for a change.


« November 2015