geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: Trunk Builds
Date Wed, 01 Jul 2009 22:51:58 GMT

On Jul 1, 2009, at 11:04 AM, Jarek Gawor wrote:

> David,
> I'm trying to make things work and behave the same for ejb-based web
> services as for servlet-based web services. I have a similar security
> tests to jaxws-ejb-sec for servlet-based web services - see
> jaxws-war-sec. Take a look at /basicAllowGet example in web.xml. It
> has one http-method specified (POST) and auth-method is configured to
> BASIC. That allows me to perform GET on the service without any
> security but POST request will require BASIC auth. So if that's how
> are things working for web-based services I would like to have the
> same behavior for ejb-based services.

I'm not very happy with what we can configure now.  With a web app,  
you can have lots of security constraints but IIUC for ejb ws you can  
only have one.  So with a single web security constraint, say you  
restrict POST to require CONFIDENTIAL and auth.  That means that non- 
POST requests are completely unconstrained both for transport and for  
auth.  In a web app you can have more constraints so that e.g. there's  
still transport guarantee.

If we imitate this with ejb constraints  but only allow a single  
constraint, then adding a http method into the mix mostly unsecures  
everything else.  I don't think this is a good idea.  I think there  
are 2 reasonable options:

1. if we only allow a single constraint, only grant the permissions  
from that constraint.... everything else is prohibited.  This is  
nearly the opposite of what servlet constraints do.  This is pretty  
easy to implement.
2. allow full web-like multiple security-constraint elements although  
we'd ignore the role-constraint mapping since the ejb security ought  
to be more meaningful.  This is more complicated to implement, but  
might not be exactly difficult.


david jencks

> Jarek
> On Wed, Jul 1, 2009 at 3:23 AM, David Jencks<>  
> wrote:
>> I fixed IMO all the security problems here and think we should  
>> change the
>> tests for the 2 remaining failures.
>> The question is whether if the web service requires authentication,  
>> the wsdl
>> requests should too.  Previously wsdl requests never required
>> authentication, just the correct transport guarantee.  While this  
>> seemed
>> reasonable when we first wrote this, I no longer think it makes  
>> sense.
>>  Currently in the jetty ejb ws if authentication is required  
>> ( auth
>> method specified) then all requests, both to the ws and for the  
>> wsdl require
>> authentication.
>> Shall I go ahead and change the testsuite and tomcat ejb ws?
>> thanks
>> david jencks

View raw message