[
https://issues.apache.org/jira/browse/TOMEE-1974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16074566#comment-16074566
]
ASF GitHub Bot commented on TOMEE-1974:
---------------------------------------
Github user rmannibucau commented on the issue:
https://github.com/apache/tomee/pull/85
@jgallimore don't recall where was the thread about it but think 2 inputs
are important:
1. we already have the ability to use basic
2. user can always configure the desired security (even another one)
creating physically tomee webapp and configuring the ejbdservlet with standard
servlet security mecanisms
2.bis. you can also do it on the host directly if the instance = 1 webapp =
ejbd
2 can need some more doc inputs indeed but I'd prefer to not introduce a
new mecanism for 1 and to not do something specific for that need.
> Allow TomEE ejbd HTTP Servlet to be protected by basic auth
> -----------------------------------------------------------
>
> Key: TOMEE-1974
> URL: https://issues.apache.org/jira/browse/TOMEE-1974
> Project: TomEE
> Issue Type: New Feature
> Components: TomEE Core Server
> Affects Versions: 1.7.5
> Reporter: Jonathan S Fisher
> Priority: Minor
>
> TomEE offers ejbd over http. This is great for a number of reasons, but it
> could go further by protecting the endpoint with http basic auth. This would
> harden the server, and it would have prevented the bug involving
> deserialization unknown classes, because authentication would have to happen
> before the underlying protocol was deserialized.
> Pull request here: https://github.com/apache/tomee/pull/52
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
