Hi - I've been trying to figure out a way to prevent remote clients (outside the jvm) from retrieving a datasource.
I have a datasource configured in Glassfish that should only be able to be accessed from my EJB's and never from anywhere else.
I've written a little client that uses a remote InitialContext and JDBC to lookup the datasource and run random queries on it - BAD, BAD, BAD!
This means that if a person can authenticate to my Glassfish server, they can run arbitrary SQL against any datasource (as long as they know its JNDI name and have an understanding of Java, JNDI and JDBC).
How can I prevent this?
I know this was an issue with other app servers as well (Weblogic), but some have the ability to lock them down (JBoss).
I read somewhere that setting "allow-non-component-callers" on the connection pool to false will disable this, but it doesn't seem to be happening. Bug maybe? I'm running version: GlassFish Enterprise Server v2.1 (9.1.1) (build b60e-fcs)
I'm looking for a feature similar to JBoss's datasource "use-java-context"...
Can anyone help?
[Message sent by forum member 'svnfightsvn' ]
http://forums.java.net/jive/thread.jspa?messageID=372741