Hi Afkham. De: [email protected] [mailto:[email protected]] En nombre de Afkham Azeez Enviado el: martes, 01 de febrero de 2011 8:06 Para: [email protected] Asunto: Re: [Carbon-dev] security issue with try it functionality.
On Sun, Jan 30, 2011 at 10:23 PM, Jorge Infante Osorio <[email protected]> wrote: WSAS 3.2.1 With the try it functionality I don´t have any problem. My problem is that I don´t want that non-authenticate person can see and use it. You are trying to have security by obscurity. If you don't want unauthorized personnel to call your Web services, the correct solution is to secure them using WS-Security. That´s right. Now we are testing some services functionalities without security, but we don´t want anybody testing the services too. So this is our approach by the moment. Finishing the testing all the services pass to UT level security as you say with another session of testing for NFR. Yesterday we download the AppServer 4.0 so we are in plan to migrate to this version. By the way, do you have a tutorial to migrate, services and configurations, from one version to another of your products?? Jorge. A solution is to put user/password security to all services but if this is not a security requirement I can´t do it. Jorge. De: [email protected] [mailto:[email protected]] En nombre de Dimuthu Leelarathne Enviado el: domingo, 30 de enero de 2011 22:05 Para: [email protected] Asunto: Re: [Carbon-dev] security issue with try it functionality. Hi, What version of App server are you using? On Mon, Jan 31, 2011 at 6:09 AM, Jorge Infante Osorio <[email protected]> wrote: We deploy an AppServ under a development environment, and in this environment have access some people that we don´t want to see the home page of AppServ and also we don´t want that they can use the try it functionality of any services. The AppServ by default let see the list of services and use the try it with any services. How can we disable this behavior?? Trunk versions of appserver do not display the service list but it is still possible to use "tryit" if a person knows the url. A solution is the mutual authentication using SSL and client certificate but I want to know if it´s possible that the non-authenticate user can see the list of services but not use the try it until they are authenticate in AppServ. This is not a provided feature yet. However a workaround would be to enable UT on these services. thanks, dimuthul Jorge. _______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev _______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev -- Afkham Azeez Senior Software Architect & Senior Manager; WSO2, Inc.; http://wso2.com, Member; Apache Software Foundation; http://www.apache.org/ email: [email protected] cell: +94 77 3320919 blog: http://blog.afkham.org twitter: http://twitter.com/afkham_azeez linked-in: http://lk.linkedin.com/in/afkhamazeez Lean . Enterprise . Middleware _______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
