geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jarek Gawor (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (GERONIMO-4015) Protecting EJB based Web services but excluding wsdl from the protection
Date Wed, 07 Jan 2009 04:58:44 GMT

     [ https://issues.apache.org/jira/browse/GERONIMO-4015?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jarek Gawor resolved GERONIMO-4015.
-----------------------------------

       Resolution: Fixed
    Fix Version/s: 2.2

I added support for specifying a list of http methods that should be secured when invoking
ejb-based web service (see revision 732217 and 732219). With that you can omit the GET method
and therefore allow unsecure WSDL access. Here's an example:

{noformat}
<ejb:enterprise-beans>
    <ejb:session>
        <ejb:ejb-name>Test</ejb:ejb-name>
        <ejb:web-service-security>
            <ejb:security-realm-name>WSTest</ejb:security-realm-name>
            <ejb:transport-guarantee>NONE</ejb:transport-guarantee>
            <ejb:auth-method>BASIC</ejb:auth-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
        </ejb:web-service-security>
     </ejb:session>
</ejb:enterprise-beans>
{noformat}


> Protecting EJB based Web services but excluding wsdl from the protection
> ------------------------------------------------------------------------
>
>                 Key: GERONIMO-4015
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4015
>             Project: Geronimo
>          Issue Type: New Feature
>      Security Level: public(Regular issues) 
>          Components: OpenEJB, webservices
>            Reporter: Rafael Thomas Goz Coutinho
>            Assignee: Jarek Gawor
>            Priority: Minor
>             Fix For: 2.2
>
>
> When we protect a Web service using HTTP Basic authentication we protect all access to
that Webservice endpoint URL even to the generated WSDL. 
> When exposing a POJO based webservices using a Web project the usual work around is to
set the http-method to only protect POST requests. So the GET to the wsdl will not be protected.
> However when exposing an EJB based Webservice we can not configure that, so the wsdl
is always protected for POST or GET requests.
> It would be nice if we could change that...
> here is a example of the EJB WS security deployment plan:
> <ejb:enterprise-beans>
> 		<ejb:session>
> 			<ejb:ejb-name>Test</ejb:ejb-name>
> 			<ejb:web-service-security>
> 				<ejb:security-realm-name>
> 					WSTest
> 				</ejb:security-realm-name>
> 				<ejb:transport-guarantee>NONE</ejb:transport-guarantee>
> 				<ejb:auth-method>BASIC</ejb:auth-method>
> 			</ejb:web-service-security>
> 		</ejb:session>
> 	</ejb:enterprise-beans>
> No place for defining the HTTP method.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message