On Jul 1, 2009, at 11:04 AM, Jarek Gawor wrote:
David,
I'm trying to make things work and behave the same for ejb-based web
services as for servlet-based web services. I have a similar security
tests to jaxws-ejb-sec for servlet-based web services - see
jaxws-war-sec. Take a look at /basicAllowGet example in web.xml. It
has one http-method specified (POST) and auth-method is configured to
BASIC. That allows me to perform GET on the service without any
security but POST request will require BASIC auth. So if that's how
are things working for web-based services I would like to have the
same behavior for ejb-based services.
I'm not very happy with what we can configure now. With a web app,
you can have lots of security constraints but IIUC for ejb ws you can
only have one. So with a single web security constraint, say you
restrict POST to require CONFIDENTIAL and auth. That means that non-
POST requests are completely unconstrained both for transport and for
auth. In a web app you can have more constraints so that e.g. there's
still transport guarantee.
If we imitate this with ejb constraints but only allow a single
constraint, then adding a http method into the mix mostly unsecures
everything else. I don't think this is a good idea. I think there
are 2 reasonable options:
1. if we only allow a single constraint, only grant the permissions
from that constraint.... everything else is prohibited. This is
nearly the opposite of what servlet constraints do. This is pretty
easy to implement.
2. allow full web-like multiple security-constraint elements although
we'd ignore the role-constraint mapping since the ejb security ought
to be more meaningful. This is more complicated to implement, but
might not be exactly difficult.
thoughts?
thanks
david jencks
Jarek
On Wed, Jul 1, 2009 at 3:23 AM, David Jencks<[email protected]>
wrote:
I fixed IMO all the security problems here and think we should
change the
tests for the 2 remaining failures.
The question is whether if the web service requires authentication,
the wsdl
requests should too. Previously wsdl requests never required
authentication, just the correct transport guarantee. While this
seemed
reasonable when we first wrote this, I no longer think it makes
sense.
Currently in the jetty ejb ws if authentication is required
(i.e.an auth
method specified) then all requests, both to the ws and for the
wsdl require
authentication.
Shall I go ahead and change the testsuite and tomcat ejb ws?
thanks
david jencks
