Your application may have a potential security hole if Java component implementation classes are deployed under EAServer’s html directory. An unauthorized user can implement a program that connects to EAServer’s HTTP port and downloads the component’s implementation classes. The user can then decompile the classes and gain access to potentially sensitive information such as database passwords. To close this security hole, Sybase recommends one of the following approaches:
Deploy Java component implementation classes under the EAServer java/classes subdirectory.
Code components that retrieve connection caches to use the getCacheByName API rather than the APIs that require a database password.
Implement your Java components to retrieve potentially sensitive information from a properties file that is not located beneath the EAServer html directory.
| Copyright © 2005. Sybase Inc. All rights reserved. |
|
|
