[
https://issues.apache.org/jira/browse/TOMEE-1974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15687451#comment-15687451
]
Jonathan S Fisher commented on TOMEE-1974:
------------------------------------------
OAuth will be an interesting challenge, but a very valuable additon. There are
about 3-4 layers of abstraction in the TomEE client between the Context
implementation class and the actual transport, and passing parameters down the
chain only happens at initialization time, not at request-time. I sort of
copped out in refactoring that part of the server with this implementation by
manipulating the URL parameters, but that was my initial approach. I ended up
breaking so many things I reverted all the changes and went with this route.
Hoping it can be improved upon in future releases.
> Allow TomEE ejbd HTTP Servlet to be protected by basic auth
> -----------------------------------------------------------
>
> Key: TOMEE-1974
> URL: https://issues.apache.org/jira/browse/TOMEE-1974
> Project: TomEE
> Issue Type: New Feature
> Components: TomEE Core Server
> Affects Versions: 1.7.5
> Reporter: Jonathan S Fisher
> Priority: Minor
>
> TomEE offers ejbd over http. This is great for a number of reasons, but it
> could go further by protecting the endpoint with http basic auth. This would
> harden the server, and it would have prevented the bug involving
> deserialization unknown classes, because authentication would have to happen
> before the underlying protocol was deserialized.
> Pull request here: https://github.com/apache/tomee/pull/52
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
