geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: WebServicesPermission
Date Tue, 06 Mar 2007 23:36:33 GMT

On Mar 6, 2007, at 6:19 PM, Jarek Gawor wrote:

> For JAX-WS services we need to check/enforce the WebServicesPermission
> while publishing JAX-WS endpoints. Here's what the JAX-WS 2.0 spec
> says (section 5.2.3):
> "Conformance (Checking publishEndpoint Permission): When any of the
> publish methods defined by the Endpoint class are invoked, an
> implementation MUST check whether a SecurityManager is installed with
> the application. If it is, implementations MUST verify that the
> application has the WebServicePermission identified by the target name
> publishEndpoint before proceeding. If the permission is not granted,
> implementations MUST NOT publish the endpoint and they MUST throw a
> java.lang.SecurityException."
> So I think this is pretty clear how the check should be done and
> where. That is, using SecurityManager API and within the CXF or Axis2
> Endpoint class when one of the publish method is called.
> Now, in JSR109 spec (section 5.3.3) says:
> "JAX-WS provides functionality for creating and publishing Web Service
> endpoints dynamically using API. The use of this
> functionality is considered non-portable in a managed environment. It
> is required that both the Servlet and the EJB container disallow the
> publishing of the Endpoint dynamically, by not granting the
> publishEndpoint security permission. Please refer to details on this
> in Section 5.2 of the JAX-WS specification."
> So that permission needs to be enforced in G. How do I configure
> things so that this permission is enforced or what do I need to do to
> enforce it?
According to the SecurityManager javadoc the default implementation  
of securityManager.checkPermission is to call  
AccessController.checkPermission().  So I'd suggest that if the cxf/ 
axis2 code was

SecurityManager sm = System.getSecurityManager();
if (sm != null) {
     sm.checkPermission(new WebServicePermission(targetName));
} else {
     AccessController.checkPermission(new WebServicePermission 

then we will have fulfilled the jaxws spec (if there is a security  
manager installed we ask it's permission)
and the jsr109 spec (AccessController won't grant this permission, or  
we can make our jacc implementation deny it if necessary)

and we won't have to install a security manager.

david jencks

> Thanks,
> Jarek

View raw message