HttpConsumerEndpoint, security issue
------------------------------------
Key: SM-895
URL: https://issues.apache.org/activemq/browse/SM-895
Project: ServiceMix
Issue Type: Bug
Components: servicemix-http
Affects Versions: 3.2
Environment: linux, servicemix-3.2-incubating-SNAPSHOT, desktop pc
Reporter: Eduardo Burgos
Priority: Minor
Fix For: 3.2
Attachments: HttpConsumerEndpoint.diff
Hi,
This is regarding HttpConsumerEndpoint class, which is
HttpSoapConsumerEndpoint's superclass. I tried to dynamically deploy a
HttpSoapConsumerEndpoint into a servicemix-http, it worked very well, but I
noticed some different behavior compared to the old HttpEndpoint. If I used
HttpEndpoint, every time I log in using http, the underlying NormalizedMessage
carries in the securitySubject a Principal that identifies the user, this is
not the case with HttpSoapConsumerEndpoint/HttpConsumerEndpoint. Since those
new HttpEndpointTypes now use a marshaler (which is by default the
DefaultHttpConsumerMarshaler) then Im not sure if this is actually intended. Is
it intended that the HttpConsumerEndpoint is left without this security feature
so that I have to actually implement it in a new Marshaler?
Attached is a diff file with my solution regarding changes to
HttpConsumerEndpoint class
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
