geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jarek Gawor" <jga...@gmail.com>
Subject WebServicesPermission
Date Tue, 06 Mar 2007 23:19:15 GMT
For JAX-WS services we need to check/enforce the WebServicesPermission
while publishing JAX-WS endpoints. Here's what the JAX-WS 2.0 spec
says (section 5.2.3):

"Conformance (Checking publishEndpoint Permission): When any of the
publish methods defined by the Endpoint class are invoked, an
implementation MUST check whether a SecurityManager is installed with
the application. If it is, implementations MUST verify that the
application has the WebServicePermission identified by the target name
publishEndpoint before proceeding. If the permission is not granted,
implementations MUST NOT publish the endpoint and they MUST throw a
java.lang.SecurityException."

So I think this is pretty clear how the check should be done and
where. That is, using SecurityManager API and within the CXF or Axis2
Endpoint class when one of the publish method is called.

Now, in JSR109 spec (section 5.3.3) says:

"JAX-WS provides functionality for creating and publishing Web Service
endpoints dynamically using javax.xml.ws.Endpoint API. The use of this
functionality is considered non-portable in a managed environment. It
is required that both the Servlet and the EJB container disallow the
publishing of the Endpoint dynamically, by not granting the
publishEndpoint security permission. Please refer to details on this
in Section 5.2 of the JAX-WS specification."

So that permission needs to be enforced in G. How do I configure
things so that this permission is enforced or what do I need to do to
enforce it?

Thanks,
Jarek

Mime
View raw message