ABSTRACT

Permission to invoke EJB methods should not be granted to the ANYONE role.

EXPLANATION

If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible.

Example 1: The following deployment descriptor grants ANYONE permission to invoke the Employee EJB's method named getSalary().


<ejb-jar>
...
<assembly-descriptor>
<method-permission>
<role-name>ANYONE</role-name>
<method>
<ejb-name>Employee</ejb-name>
<method-name>getSalary</method-name>
</method-permission>
</assembly-descriptor>
...
</ejb-jar>

REFERENCES

[1] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A10 Failure to Restrict URL Access

[2] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control

[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A8 Failure to Restrict URL Access

[4] Standards Mapping - FIPS200 - (FISMA) AC

[5] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3480.2 CAT II

[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 9

[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authentication

[8] A. Taylor et al. J2EE & Java: Developing Secure Web Applications with Java Technology (Hacking Exposed) Osborne/McGraw-Hill

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.10, Requirement 7.2

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.2, Requirement 7.2

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8, Requirement 7.2