[
https://issues.apache.org/jira/browse/GERONIMO-4738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Delos Dai resolved GERONIMO-4738.
---------------------------------
Resolution: Fixed
As David said, if security problem happens, it's better to return HTTP 403
instead of 500.
The fix is in revision #950429. It covers two cases.
1) If transport-guarantee is not NONE, access web service using HTTP will cause
403. It's the same behavior as that in G 2.1.5
2) If any security problem happens in accessing web service, client will also
get HTTP 403 status and detailed error message.
> ejb ws report authorization failures as 500 internal server error
> -----------------------------------------------------------------
>
> Key: GERONIMO-4738
> URL: https://issues.apache.org/jira/browse/GERONIMO-4738
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: webservices
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: Delos Dai
> Fix For: 2.2.1
>
>
> If you secure an ejb web service with ejb security constraints cxf reports
> authorization failures as 500 internal server error and doesn't log much
> useful. Axis2 logs the auth failure and IIRC reports 401 or 403.
> I think this can be reproduced by removing the ejb-jar.xml security
> constraints from
> testsuite/webservices-testsuite/jaxws-tests/jaxws-ejb-sec/src/main/resources/META-INF/ejb-jar.xml
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
