geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dain Sundstrom <dsundst...@gluecode.com>
Subject Re: JNDI provider / remote jndi
Date Wed, 15 Sep 2004 22:07:19 GMT
On Sep 15, 2004, at 2:14 PM, Ken Horn wrote:

> On WLS, the datastore on the default drivers is serializable (it's 
> bound to the clustered jndi, via a ClusterRemoteRef), and so an 
> servlet / ejb /  client app can grab the ds from jndi (this may be 
> using JNDI Reference / Factory stuff). The ds can then create a direct 
> db connection from the code to the db.

Ah your talking WLS.  Does this only work when you use weblogic's 
drivers or does it work with any driver?  I suppose we could do the 
same thing.  Does WLS handle moving the driver classes to the client or 
does it assume you have all the classes you need on the client?

> Therefore, if I bind a datasource into jndi, and fail to protect it 
> via some contorted config (what we've thought of so far, is facades 
> calling runAs beans through local interfaces), any user that can 
> authenticate, and can write a java client (or find one), can access 
> the database direct.

Assuming it has the permissions.... or does WLS serialize the username 
and password?

> I was wondering if the same is possible in Geronimo...
>
> So key questions are:
> * are datasources by default serializable (does Geronimo use something 
> like the wls remote ref or is the raw driver datastore used?)

Not currently, but if you want it start by adding a JIRA "New Feature" 
issue.

> * can client apps access the server jndi tree?

Not yet.  Currently an client can only see EJBs with Remote interfaces 
via JNDI.

> * if yes for the previous q, is there a way to bind an object that 
> isn't remotely accessible?

N/A, but we may change the above so what do you suggest we do?

-dain


Mime
View raw message