David, I'm trying to make things work and behave the same for ejb-based web services as for servlet-based web services. I have a similar security tests to jaxws-ejb-sec for servlet-based web services - see jaxws-war-sec. Take a look at /basicAllowGet example in web.xml. It has one http-method specified (POST) and auth-method is configured to BASIC. That allows me to perform GET on the service without any security but POST request will require BASIC auth. So if that's how are things working for web-based services I would like to have the same behavior for ejb-based services.
Jarek On Wed, Jul 1, 2009 at 3:23 AM, David Jencks<[email protected]> wrote: > > > I fixed IMO all the security problems here and think we should change the > tests for the 2 remaining failures. > > The question is whether if the web service requires authentication, the wsdl > requests should too. Previously wsdl requests never required > authentication, just the correct transport guarantee. While this seemed > reasonable when we first wrote this, I no longer think it makes sense. > Currently in the jetty ejb ws if authentication is required (i.e.an auth > method specified) then all requests, both to the ws and for the wsdl require > authentication. > > Shall I go ahead and change the testsuite and tomcat ejb ws? > > thanks > david jencks >
