[
https://issues.apache.org/jira/browse/TOMEE-1974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15687398#comment-15687398
]
Jonathan S Fisher commented on TOMEE-1974:
------------------------------------------
The Config in TomEE 7.0 takes a GET URL parameter and turns it into an HTTP
Header which is a very very dangerous operation from a security standpoint. I
would suggest the opposite: deprecate that config in TomEE 7.0 before it
becomes a security problem, and instead use the IETF and RFC specified format
to include a username/password in a URL, which this patch does.
> Allow TomEE ejbd HTTP Servlet to be protected by basic auth
> -----------------------------------------------------------
>
> Key: TOMEE-1974
> URL: https://issues.apache.org/jira/browse/TOMEE-1974
> Project: TomEE
> Issue Type: New Feature
> Components: TomEE Core Server
> Affects Versions: 1.7.5
> Reporter: Jonathan S Fisher
> Priority: Minor
>
> TomEE offers ejbd over http. This is great for a number of reasons, but it
> could go further by protecting the endpoint with http basic auth. This would
> harden the server, and it would have prevented the bug involving
> deserialization unknown classes, because authentication would have to happen
> before the underlying protocol was deserialized.
> Pull request here: https://github.com/apache/tomee/pull/52
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
