Re: HttpConsumerEndpoint, security issue

Fri, 23 Mar 2007 10:38:52 -0800 

Could you please raise a JIRA and attahc your patch
as a diff file if possible ? Thanks !

On 3/23/07, Eduardo Burgos <[EMAIL PROTECTED]> wrote:


Hi,


This is regarding HttpConsumerEndpoint class, which is
HttpSoapConsumerEndpoint's superclass. I tried to dynamically deploy a
HttpSoapConsumerEndpoint into a servicemix-http, it worked very well, but
I
noticed some different behavior compared to the old HttpEndpoint. If I
used
HttpEndpoint, every time I log in using http, the underlying
NormalizedMessage carries in the securitySubject a Principal that
identifies
the user, this is not the case with
HttpSoapConsumerEndpoint/HttpConsumerEndpoint. Since those new
HttpEndpointTypes now use a marshaler (which is by default the
DefaultHttpConsumerMarshaler) then Im not sure if this is actually
intended.
Is it intended that the HttpConsumerEndpoint is left without this security
feature so that I have to actually implement it in a new Marshaler?

I found 2 solutions:
1) I can build a new HttpConsumerMarshaler and handle the createExchange
method so that it uses  the request and inserts a SecuritySubject in the
MessageExchange that its just about to create. That would work, however, I
still think that security should be a little more servicemix native.

2) I would modify HttpConsumerEndpoint.java in
org.apache.servicemix.http.endpoints.HttpConsumerEndpoint and insert the
following lines between lines 217 and 218 which are respectively:
217-  exchange = createExchange(request);
218-  locks.put(exchage.getExchangeId(), cont);


proposed lines:

217-  exchange = createExchange(request);
218-  if (request.getUserPrincipal() != null) {
219-          if (request.getUserPrincipal() instanceof
JaasJettyPrincipal)
{
220-                          Subject subject = ((JaasJettyPrincipal)
request.getUserPrincipal()).getSubject();
221-                          context.getInMessage().setSubject(subject);
222-          } else {
223-                           context.getInMessage().addPrincipal(
request.getUserPrincipal());
224-         }
225-  }
226-   locks.put(exchage.getExchangeId(), cont);


I chose option 2 by modifying HttpConsumerEndpoint's code until there is a
final solution.

Any comments? Guillaume?


Regards,

Eduardo Burgos





--
Cheers,
Guillaume Nodet
------------------------
Architect, LogicBlaze (http://www.logicblaze.com/)
Blog: http://gnodet.blogspot.com/

Reply via email to