J2EE Misconfiguration: Weak Access Permissions for EJB Methods
Weakness ID: 9 (Weakness Variant)Status: Draft
+ Description

Description Summary

If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the software system.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Demonstrative Examples

Example 1

The following deployment descriptor grants ANYONE permission to invoke the Employee EJB's method named getSalary().

(Bad Code)
Example Language: XML 
<ejb-jar>
...
<assembly-descriptor>
<method-permission>
<role-name>ANYONE</role-name>
<method>
<ejb-name>Employee</ejb-name>
<method-name>getSalary</method-name>
</method-permission>
</assembly-descriptor>
...
</ejb-jar>
+ Potential Mitigations

Follow the principle of least privilege when assigning access rights to EJB methods. Permission to invoke EJB methods should not be granted to the ANYONE role.

+ Other Notes

If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory2Environment
Seven Pernicious Kingdoms (primary)700
ChildOfCategoryCategory4J2EE Environment Issues
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base266Incorrect Privilege Assignment
Research Concepts (primary)1000
ChildOfCategoryCategory723OWASP Top Ten 2004 Category A2 - Broken Access Control
Weaknesses in OWASP Top Ten (2004) (primary)711
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
7 Pernicious KingdomsJ2EE Misconfiguration: Weak Access Permissions
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
7 Pernicious KingdomsExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, Taxonomy Mappings
2009-03-10CWE Content TeamMITREInternal
updated Relationships
2009-07-27CWE Content TeamMITREInternal
updated Demonstrative Examples
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11J2EE Misconfiguration: Weak Access Permissions
Back to top