The security hole left with JNDI for server resources
In Java world, JNDI (Java Naming and Directory Interface) is one very common method for applications to access server resources like data sources, EJB's, JMS queues, file stores etc. The security risk is that: Not only JNDI can be called by applications hosted in the same container, but also remotely. In an organization, application server admins do not take care of security risks unknowingly or neglect by assuming they or on a secure LAN. This exposes the resources to grave risk as anyone within LAN can access unauthorized data without being detected and abuse the system. ctx = null ; Properties env = new Properties (); env . put( Context . INITIAL_CONTEXT_FACTORY , "CONTEXT_FACTORY" ); env . put( Context . PROVIDER_URL , "CONTEXT_PROVIDER_URL" ); DataSource datasource = ( DataSource )initialContext . lookup( "DATASOURCE_CONTEXT_NAME" ); try { ctx = new InitialContext (env); Connection conn = datasource . getConnection(); //