geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Davanum Srinivas" <dava...@gmail.com>
Subject Re: WebServicesPermission
Date Tue, 06 Mar 2007 23:45:04 GMT
And the targetname is "publishEndpoint" according to the
WebServicePermission javadoc.

thanks,
-- dims

On 3/6/07, David Jencks <david_jencks@yahoo.com> wrote:
>
> On Mar 6, 2007, at 6:19 PM, Jarek Gawor wrote:
>
> > For JAX-WS services we need to check/enforce the WebServicesPermission
> > while publishing JAX-WS endpoints. Here's what the JAX-WS 2.0 spec
> > says (section 5.2.3):
> >
> > "Conformance (Checking publishEndpoint Permission): When any of the
> > publish methods defined by the Endpoint class are invoked, an
> > implementation MUST check whether a SecurityManager is installed with
> > the application. If it is, implementations MUST verify that the
> > application has the WebServicePermission identified by the target name
> > publishEndpoint before proceeding. If the permission is not granted,
> > implementations MUST NOT publish the endpoint and they MUST throw a
> > java.lang.SecurityException."
> >
> > So I think this is pretty clear how the check should be done and
> > where. That is, using SecurityManager API and within the CXF or Axis2
> > Endpoint class when one of the publish method is called.
> >
> > Now, in JSR109 spec (section 5.3.3) says:
> >
> > "JAX-WS provides functionality for creating and publishing Web Service
> > endpoints dynamically using javax.xml.ws.Endpoint API. The use of this
> > functionality is considered non-portable in a managed environment. It
> > is required that both the Servlet and the EJB container disallow the
> > publishing of the Endpoint dynamically, by not granting the
> > publishEndpoint security permission. Please refer to details on this
> > in Section 5.2 of the JAX-WS specification."
> >
> > So that permission needs to be enforced in G. How do I configure
> > things so that this permission is enforced or what do I need to do to
> > enforce it?
> >
> According to the SecurityManager javadoc the default implementation
> of securityManager.checkPermission is to call
> AccessController.checkPermission().  So I'd suggest that if the cxf/
> axis2 code was
>
> SecurityManager sm = System.getSecurityManager();
> if (sm != null) {
>      sm.checkPermission(new WebServicePermission(targetName));
> } else {
>      AccessController.checkPermission(new WebServicePermission
> (targetName));
> }
>
> then we will have fulfilled the jaxws spec (if there is a security
> manager installed we ask it's permission)
> and the jsr109 spec (AccessController won't grant this permission, or
> we can make our jacc implementation deny it if necessary)
>
> and we won't have to install a security manager.
>
> thanks
> david jencks
>
>
>
>
>
> > Thanks,
> > Jarek
>
>


-- 
Davanum Srinivas :: http://wso2.org/ :: Oxygen for Web Services Developers

Mime
View raw message