geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jarek Gawor (JIRA)" <j...@apache.org>
Subject [jira] Updated: (GERONIMO-4015) Protecting EJB based Web services but excluding wsdl from the protection
Date Wed, 31 Dec 2008 19:55:44 GMT

     [ https://issues.apache.org/jira/browse/GERONIMO-4015?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jarek Gawor updated GERONIMO-4015:
----------------------------------

    Component/s: webservices
       Assignee: Jarek Gawor

> Protecting EJB based Web services but excluding wsdl from the protection
> ------------------------------------------------------------------------
>
>                 Key: GERONIMO-4015
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4015
>             Project: Geronimo
>          Issue Type: New Feature
>      Security Level: public(Regular issues) 
>          Components: OpenEJB, webservices
>            Reporter: Rafael Thomas Goz Coutinho
>            Assignee: Jarek Gawor
>            Priority: Minor
>
> When we protect a Web service using HTTP Basic authentication we protect all access to
that Webservice endpoint URL even to the generated WSDL. 
> When exposing a POJO based webservices using a Web project the usual work around is to
set the http-method to only protect POST requests. So the GET to the wsdl will not be protected.
> However when exposing an EJB based Webservice we can not configure that, so the wsdl
is always protected for POST or GET requests.
> It would be nice if we could change that...
> here is a example of the EJB WS security deployment plan:
> <ejb:enterprise-beans>
> 		<ejb:session>
> 			<ejb:ejb-name>Test</ejb:ejb-name>
> 			<ejb:web-service-security>
> 				<ejb:security-realm-name>
> 					WSTest
> 				</ejb:security-realm-name>
> 				<ejb:transport-guarantee>NONE</ejb:transport-guarantee>
> 				<ejb:auth-method>BASIC</ejb:auth-method>
> 			</ejb:web-service-security>
> 		</ejb:session>
> 	</ejb:enterprise-beans>
> No place for defining the HTTP method.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message