When you define a JDBC connection pool in Glassfish (AKA Sun Java System Application Server 9) and JDBC resources for it, you usually include a user name and password as pool properties. You may think that this information is available only to deployed applications, but in fact anyone with IP access to the servers ORB port (3700 by default) can fetch the entire datasource definition using a simple JNDI lookup. If the database server is also accessible, then you have a security problem.
If you use My SQL you can increase security a bit by making sure that the database user is only allowed access from the host running the application server. Still, the password is accessible.
To prevent access to the datasource information you should simply close down remote access to the ORB itself. If you only run Web applications, Web services and rich clients that use HTTP to access the server, then you really don't need to expose the ORB. Disabling all ORB listeners doesn't work because the server won't start without at least one ORB listener, but if you change the listener IP address identifying the interface from "0.0.0.0" to "127.0.0.1" the ORB is only available locally on the application server.
Also, make sure you don't allow SSH access to the server, since a user could then use port forwarding to tunnel a local connection to the remote machine.
- Log in to post comments