[jira] Commented: (GERONIMO-4645) jetty7 ejb web service authentication is turned off

Fri, 10 Jul 2009 00:47:42 -0700 

    [ 
https://issues.apache.org/jira/browse/GERONIMO-4645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12729563#action_12729563
 ] 

David Jencks commented on GERONIMO-4645:
----------------------------------------

rev 792824 gets all the testsuite jaxws-ejb-sec tests to pass for me.  
Basically this sets stuff up to use jacc for security.

-- uses ejb abstract name for a policyContextID (ejb still gets the 
policyContextID from its module)
-- uses jacc to enforce UserData constraints and whether auth is required.  No 
role based permission checks are performed by the web transport layer, this is 
done only by the ejb security.
-- configuration is now done with properties in the webservice-security 
element.  The http methods listed are ignored.

getProtiected (default true) -- whether GET requests (presumably for wsdl) are 
subject to transport guarantees
getSecured (default true unless authMethod NONE) whether GET requests must be 
authenticated.

I'm going to look into fixing up the tomcat and jetty6 ejb ws security to use 
the same technique.

Listing only the protected methods and letting the non-protected https methods 
be, well, unprotiected has the practical effect that you can work around the 
security constraints by using a non-standard http method.  At least cxf 
distinguishes only between "GET" and "everything else" and pushes all the 
"eveything else" methods to the POST handler.  Since you can't list all the 
http extension methods its better to just configure whether GET is secured 
directly.

> jetty7 ejb web service authentication is turned off
> ---------------------------------------------------
>
>                 Key: GERONIMO-4645
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4645
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Jetty
>    Affects Versions: 2.2
>            Reporter: David Jencks
>            Assignee: David Jencks
>             Fix For: 2.2
>
>
> See JettyContainerImpl.addWebService.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to