geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jarek Gawor (JIRA)" <>
Subject [jira] Resolved: (GERONIMO-4015) Protecting EJB based Web services but excluding wsdl from the protection
Date Wed, 07 Jan 2009 04:58:44 GMT


Jarek Gawor resolved GERONIMO-4015.

       Resolution: Fixed
    Fix Version/s: 2.2

I added support for specifying a list of http methods that should be secured when invoking
ejb-based web service (see revision 732217 and 732219). With that you can omit the GET method
and therefore allow unsecure WSDL access. Here's an example:


> Protecting EJB based Web services but excluding wsdl from the protection
> ------------------------------------------------------------------------
>                 Key: GERONIMO-4015
>                 URL:
>             Project: Geronimo
>          Issue Type: New Feature
>      Security Level: public(Regular issues) 
>          Components: OpenEJB, webservices
>            Reporter: Rafael Thomas Goz Coutinho
>            Assignee: Jarek Gawor
>            Priority: Minor
>             Fix For: 2.2
> When we protect a Web service using HTTP Basic authentication we protect all access to
that Webservice endpoint URL even to the generated WSDL. 
> When exposing a POJO based webservices using a Web project the usual work around is to
set the http-method to only protect POST requests. So the GET to the wsdl will not be protected.
> However when exposing an EJB based Webservice we can not configure that, so the wsdl
is always protected for POST or GET requests.
> It would be nice if we could change that...
> here is a example of the EJB WS security deployment plan:
> <ejb:enterprise-beans>
> 		<ejb:session>
> 			<ejb:ejb-name>Test</ejb:ejb-name>
> 			<ejb:web-service-security>
> 				<ejb:security-realm-name>
> 					WSTest
> 				</ejb:security-realm-name>
> 				<ejb:transport-guarantee>NONE</ejb:transport-guarantee>
> 				<ejb:auth-method>BASIC</ejb:auth-method>
> 			</ejb:web-service-security>
> 		</ejb:session>
> 	</ejb:enterprise-beans>
> No place for defining the HTTP method.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message