[jira] Resolved: (GERONIMO-4015) Protecting EJB based Web services but excluding wsdl from the protection

Tue, 06 Jan 2009 20:59:08 -0800 

     [ 
https://issues.apache.org/jira/browse/GERONIMO-4015?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jarek Gawor resolved GERONIMO-4015.
-----------------------------------

       Resolution: Fixed
    Fix Version/s: 2.2

I added support for specifying a list of http methods that should be secured 
when invoking ejb-based web service (see revision 732217 and 732219). With that 
you can omit the GET method and therefore allow unsecure WSDL access. Here's an 
example:

{noformat}
<ejb:enterprise-beans>
    <ejb:session>
        <ejb:ejb-name>Test</ejb:ejb-name>
        <ejb:web-service-security>
            <ejb:security-realm-name>WSTest</ejb:security-realm-name>
            <ejb:transport-guarantee>NONE</ejb:transport-guarantee>
            <ejb:auth-method>BASIC</ejb:auth-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
        </ejb:web-service-security>
     </ejb:session>
</ejb:enterprise-beans>
{noformat}


> Protecting EJB based Web services but excluding wsdl from the protection
> ------------------------------------------------------------------------
>
>                 Key: GERONIMO-4015
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4015
>             Project: Geronimo
>          Issue Type: New Feature
>      Security Level: public(Regular issues) 
>          Components: OpenEJB, webservices
>            Reporter: Rafael Thomas Goz Coutinho
>            Assignee: Jarek Gawor
>            Priority: Minor
>             Fix For: 2.2
>
>
> When we protect a Web service using HTTP Basic authentication we protect all 
> access to that Webservice endpoint URL even to the generated WSDL. 
> When exposing a POJO based webservices using a Web project the usual work 
> around is to set the http-method to only protect POST requests. So the GET to 
> the wsdl will not be protected.
> However when exposing an EJB based Webservice we can not configure that, so 
> the wsdl is always protected for POST or GET requests.
> It would be nice if we could change that...
> here is a example of the EJB WS security deployment plan:
> <ejb:enterprise-beans>
>               <ejb:session>
>                       <ejb:ejb-name>Test</ejb:ejb-name>
>                       <ejb:web-service-security>
>                               <ejb:security-realm-name>
>                                       WSTest
>                               </ejb:security-realm-name>
>                               
> <ejb:transport-guarantee>NONE</ejb:transport-guarantee>
>                               <ejb:auth-method>BASIC</ejb:auth-method>
>                       </ejb:web-service-security>
>               </ejb:session>
>       </ejb:enterprise-beans>
> No place for defining the HTTP method.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to