geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rafael Thomas Goz Coutinho (JIRA)" <j...@apache.org>
Subject [jira] Created: (GERONIMO-4015) Protecting EJB based Web services but excluding wsdl from the protection
Date Wed, 14 May 2008 01:19:55 GMT
Protecting EJB based Web services but excluding wsdl from the protection
------------------------------------------------------------------------

                 Key: GERONIMO-4015
                 URL: https://issues.apache.org/jira/browse/GERONIMO-4015
             Project: Geronimo
          Issue Type: New Feature
      Security Level: public (Regular issues)
          Components: OpenEJB
            Reporter: Rafael Thomas Goz Coutinho
            Priority: Minor


When we protect a Web service using HTTP Basic authentication we protect all access to that
Webservice endpoint URL even to the generated WSDL. 

When exposing a POJO based webservices using a Web project the usual work around is to set
the http-method to only protect POST requests. So the GET to the wsdl will not be protected.

However when exposing an EJB based Webservice we can not configure that, so the wsdl is always
protected for POST or GET requests.

It would be nice if we could change that...

here is a example of the EJB WS security deployment plan:
<ejb:enterprise-beans>
		<ejb:session>
			<ejb:ejb-name>Test</ejb:ejb-name>
			<ejb:web-service-security>
				<ejb:security-realm-name>
					WSTest
				</ejb:security-realm-name>
				<ejb:transport-guarantee>NONE</ejb:transport-guarantee>
				<ejb:auth-method>BASIC</ejb:auth-method>
			</ejb:web-service-security>
		</ejb:session>
	</ejb:enterprise-beans>

No place for defining the HTTP method.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message