geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <>
Subject [jira] Commented: (GERONIMO-4645) jetty7 ejb web service authentication is turned off
Date Fri, 10 Jul 2009 07:47:14 GMT


David Jencks commented on GERONIMO-4645:

rev 792824 gets all the testsuite jaxws-ejb-sec tests to pass for me.  Basically this sets
stuff up to use jacc for security.

-- uses ejb abstract name for a policyContextID (ejb still gets the policyContextID from its
-- uses jacc to enforce UserData constraints and whether auth is required.  No role based
permission checks are performed by the web transport layer, this is done only by the ejb security.
-- configuration is now done with properties in the webservice-security element.  The http
methods listed are ignored.

getProtiected (default true) -- whether GET requests (presumably for wsdl) are subject to
transport guarantees
getSecured (default true unless authMethod NONE) whether GET requests must be authenticated.

I'm going to look into fixing up the tomcat and jetty6 ejb ws security to use the same technique.

Listing only the protected methods and letting the non-protected https methods be, well, unprotiected
has the practical effect that you can work around the security constraints by using a non-standard
http method.  At least cxf distinguishes only between "GET" and "everything else" and pushes
all the "eveything else" methods to the POST handler.  Since you can't list all the http extension
methods its better to just configure whether GET is secured directly.

> jetty7 ejb web service authentication is turned off
> ---------------------------------------------------
>                 Key: GERONIMO-4645
>                 URL:
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Jetty
>    Affects Versions: 2.2
>            Reporter: David Jencks
>            Assignee: David Jencks
>             Fix For: 2.2
> See JettyContainerImpl.addWebService.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message