geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: WebServicesPermission
Date Tue, 06 Mar 2007 23:49:54 GMT
some day I'll learn to read :-)  ... that's right in jarek's quote.
thanks
david jencks
On Mar 6, 2007, at 6:45 PM, Davanum Srinivas wrote:

> And the targetname is "publishEndpoint" according to the
> WebServicePermission javadoc.
>
> thanks,
> -- dims
>
> On 3/6/07, David Jencks <david_jencks@yahoo.com> wrote:
>>
>> On Mar 6, 2007, at 6:19 PM, Jarek Gawor wrote:
>>
>> > For JAX-WS services we need to check/enforce the  
>> WebServicesPermission
>> > while publishing JAX-WS endpoints. Here's what the JAX-WS 2.0 spec
>> > says (section 5.2.3):
>> >
>> > "Conformance (Checking publishEndpoint Permission): When any of the
>> > publish methods defined by the Endpoint class are invoked, an
>> > implementation MUST check whether a SecurityManager is installed  
>> with
>> > the application. If it is, implementations MUST verify that the
>> > application has the WebServicePermission identified by the  
>> target name
>> > publishEndpoint before proceeding. If the permission is not  
>> granted,
>> > implementations MUST NOT publish the endpoint and they MUST throw a
>> > java.lang.SecurityException."
>> >
>> > So I think this is pretty clear how the check should be done and
>> > where. That is, using SecurityManager API and within the CXF or  
>> Axis2
>> > Endpoint class when one of the publish method is called.
>> >
>> > Now, in JSR109 spec (section 5.3.3) says:
>> >
>> > "JAX-WS provides functionality for creating and publishing Web  
>> Service
>> > endpoints dynamically using javax.xml.ws.Endpoint API. The use  
>> of this
>> > functionality is considered non-portable in a managed  
>> environment. It
>> > is required that both the Servlet and the EJB container disallow  
>> the
>> > publishing of the Endpoint dynamically, by not granting the
>> > publishEndpoint security permission. Please refer to details on  
>> this
>> > in Section 5.2 of the JAX-WS specification."
>> >
>> > So that permission needs to be enforced in G. How do I configure
>> > things so that this permission is enforced or what do I need to  
>> do to
>> > enforce it?
>> >
>> According to the SecurityManager javadoc the default implementation
>> of securityManager.checkPermission is to call
>> AccessController.checkPermission().  So I'd suggest that if the cxf/
>> axis2 code was
>>
>> SecurityManager sm = System.getSecurityManager();
>> if (sm != null) {
>>      sm.checkPermission(new WebServicePermission(targetName));
>> } else {
>>      AccessController.checkPermission(new WebServicePermission
>> (targetName));
>> }
>>
>> then we will have fulfilled the jaxws spec (if there is a security
>> manager installed we ask it's permission)
>> and the jsr109 spec (AccessController won't grant this permission, or
>> we can make our jacc implementation deny it if necessary)
>>
>> and we won't have to install a security manager.
>>
>> thanks
>> david jencks
>>
>>
>>
>>
>>
>> > Thanks,
>> > Jarek
>>
>>
>
>
> -- 
> Davanum Srinivas :: http://wso2.org/ :: Oxygen for Web Services  
> Developers


Mime
View raw message