On Mar 6, 2007, at 6:19 PM, Jarek Gawor wrote:
For JAX-WS services we need to check/enforce the WebServicesPermission
while publishing JAX-WS endpoints. Here's what the JAX-WS 2.0 spec
says (section 5.2.3):
"Conformance (Checking publishEndpoint Permission): When any of the
publish methods defined by the Endpoint class are invoked, an
implementation MUST check whether a SecurityManager is installed with
the application. If it is, implementations MUST verify that the
application has the WebServicePermission identified by the target name
publishEndpoint before proceeding. If the permission is not granted,
implementations MUST NOT publish the endpoint and they MUST throw a
java.lang.SecurityException."
So I think this is pretty clear how the check should be done and
where. That is, using SecurityManager API and within the CXF or Axis2
Endpoint class when one of the publish method is called.
Now, in JSR109 spec (section 5.3.3) says:
"JAX-WS provides functionality for creating and publishing Web Service
endpoints dynamically using javax.xml.ws.Endpoint API. The use of this
functionality is considered non-portable in a managed environment. It
is required that both the Servlet and the EJB container disallow the
publishing of the Endpoint dynamically, by not granting the
publishEndpoint security permission. Please refer to details on this
in Section 5.2 of the JAX-WS specification."
So that permission needs to be enforced in G. How do I configure
things so that this permission is enforced or what do I need to do to
enforce it?
According to the SecurityManager javadoc the default implementation
of securityManager.checkPermission is to call
AccessController.checkPermission(). So I'd suggest that if the cxf/
axis2 code was
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new WebServicePermission(targetName));
} else {
AccessController.checkPermission(new WebServicePermission
(targetName));
}
then we will have fulfilled the jaxws spec (if there is a security
manager installed we ask it's permission)
and the jsr109 spec (AccessController won't grant this permission, or
we can make our jacc implementation deny it if necessary)
and we won't have to install a security manager.
thanks
david jencks
Thanks,
Jarek
