Re: Securing a webservice

Tue, 21 Apr 2009 12:09:54 -0700

Had to change up part of this code to fix OPENEJB-1021: "NPE in AppInfoBuilder.configureWebserviceSecurity()" which shows up in the Geronimo build.
I rearranged the configureWebserviceSecurity method just slightly. It's functionally equivalent, the only behavior change is the null check on sessionBean.getWebServiceSecurity(). 


Added some TODOs as it seems like there's some room to be more vocal  
about potential user mistakes and issues.  Not too familiar with the  
config setup, no not sure what to recommend.   Here's the code in  
question:


    List<PortInfo> infoList = ejbJarInfo.portInfos;
    for (PortInfo portInfo : infoList) {


        org.apache.openejb.jee.oejb2.EnterpriseBean bean =  
beans.get(portInfo.serviceLink);


        if (bean == null) continue; /* TODO: throw something? */

        if (!(bean instanceof SessionBeanType)) continue; /* TODO:  
throw something? */


        SessionBeanType sessionBean = (SessionBeanType) bean;

        WebServiceSecurityType webServiceSecurityType =  
sessionBean.getWebServiceSecurity();


        if (webServiceSecurityType == null) {
            //TODO: this ok?
            continue;
        }

        portInfo.realmName = webServiceSecurityType.getRealmName();

        portInfo.securityRealmName =  
webServiceSecurityType.getSecurityRealmName();

        if (webServiceSecurityType.getTransportGuarantee() != null) {

            portInfo.transportGuarantee =  
webServiceSecurityType.getTransportGuarantee().value();

        } else {
            portInfo.transportGuarantee = "NONE";
        }

        if (webServiceSecurityType.getAuthMethod() != null) {

            portInfo.authMethod =  
webServiceSecurityType.getAuthMethod().value();

        } else {
            portInfo.authMethod = "NONE";
        }
    }


Any thoughts on what we should do with the todos?


Seems like the first one indicates they don't have any metadata in the  
openejb-jar.xml for the bean.  Are there defaults that we want to fill  
in in that situation?



The second seems to indicate there is metadata for the bean, but it is  
not what we expect.  Seems there's definitely some action to be taken  
there.



The third (the one I just added), not sure what the right approach  
is.  Seems like a variation on the first one.  Might be fine to ignore  
it, wonder if we need some defaults in there.  Seems we supply "NONE"  
for transportGuarantee and authMethod as the defaults when there is  
some metadata give, wonder if we need to do that for when there is no  
metadata given.


-David






























					Reply via email to