geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject unimplemented bits of ejb-webservice security
Date Thu, 05 May 2005 21:43:09 GMT
It looks like we have a couple missing bits of ejb webservice 
security...

1. There's no way to force (or allow) a client to log on, although its 
easy to deny them access since they didn't.

2. There's no way to let a client use a client certificate.

 From one point of view we have these problems because we aren't 
deploying the ejb-ws as servlets in a web app, but rather using a 
web-app-context like object registered in the web server for each 
ejb-ws.  So, one possible solution for jetty would be to copy the logon 
code from the security before-after into the JettyEJBWebServiceContext, 
leaving out the JACC permission checks but providing custom 
configuration for what is expected (i.e. login  +- various ssl options)

Anyone have any other ideas?

Should the ?wsdl queries also be subject to security?

Many thanks,
david jencks


Mime
View raw message