geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jarek Gawor <>
Subject Re: Trunk Builds
Date Wed, 01 Jul 2009 18:04:33 GMT

I'm trying to make things work and behave the same for ejb-based web
services as for servlet-based web services. I have a similar security
tests to jaxws-ejb-sec for servlet-based web services - see
jaxws-war-sec. Take a look at /basicAllowGet example in web.xml. It
has one http-method specified (POST) and auth-method is configured to
BASIC. That allows me to perform GET on the service without any
security but POST request will require BASIC auth. So if that's how
are things working for web-based services I would like to have the
same behavior for ejb-based services.


On Wed, Jul 1, 2009 at 3:23 AM, David Jencks<> wrote:
> I fixed IMO all the security problems here and think we should change the
> tests for the 2 remaining failures.
> The question is whether if the web service requires authentication, the wsdl
> requests should too.  Previously wsdl requests never required
> authentication, just the correct transport guarantee.  While this seemed
> reasonable when we first wrote this, I no longer think it makes sense.
>  Currently in the jetty ejb ws if authentication is required ( auth
> method specified) then all requests, both to the ws and for the wsdl require
> authentication.
> Shall I go ahead and change the testsuite and tomcat ejb ws?
> thanks
> david jencks

View raw message