What security issues should be considered in the use of thick clients ?
ABy a `thick’ client I mean anything that will bypass the servlet/JSP layer and talk directly to EJBs using RMI/IIOP protocols. The biggest problems arise when deploying thick clients on the Internet (e.g., Java applets accessible from your Web site). There are two main issues to consider.First, iAS does not support the encryption of IIOP data; this means that information sent from the thick client application to iAS, and vice versa, will be in plaintext, and accessible to anyone with the appropriate snooping tools. This does not necessarily mean that user IDs and passwords will be accessible, as these are not usually handled at the application level. It does mean, however, that application-level data could be snooped (names, addresses, bank balances, etc). I understand that support for SSL-encrypted IIOP is being considered for a future iAS release.Second, getting IIOP traffic across a firewall requires a more relaxed firewall configuration than HTTP. As well as the IIOP bridge port (
