Protecting EJB based Web services but excluding wsdl from the protection
------------------------------------------------------------------------
Key: GERONIMO-4015
URL: https://issues.apache.org/jira/browse/GERONIMO-4015
Project: Geronimo
Issue Type: New Feature
Security Level: public (Regular issues)
Components: OpenEJB
Reporter: Rafael Thomas Goz Coutinho
Priority: Minor
When we protect a Web service using HTTP Basic authentication we protect all
access to that Webservice endpoint URL even to the generated WSDL.
When exposing a POJO based webservices using a Web project the usual work
around is to set the http-method to only protect POST requests. So the GET to
the wsdl will not be protected.
However when exposing an EJB based Webservice we can not configure that, so the
wsdl is always protected for POST or GET requests.
It would be nice if we could change that...
here is a example of the EJB WS security deployment plan:
<ejb:enterprise-beans>
<ejb:session>
<ejb:ejb-name>Test</ejb:ejb-name>
<ejb:web-service-security>
<ejb:security-realm-name>
WSTest
</ejb:security-realm-name>
<ejb:transport-guarantee>NONE</ejb:transport-guarantee>
<ejb:auth-method>BASIC</ejb:auth-method>
</ejb:web-service-security>
</ejb:session>
</ejb:enterprise-beans>
No place for defining the HTTP method.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
