I just added a comment to the Github commit on this, but wanted to reference it here in case anyone finds this email thread.
https://github.com/apache/tomee/commit/7edb1be6a17efb05a5ca37ff2919abd2a0aabe25 This approach causes problems with clustered connections. If using a clustered URL like "failover:sticky+random:https://1.2.3.4:8443/ejb/invoke?authorization=Basic%20ABCD,https://1.2.3.5:8443/ejb/invoke?authorization=Basic%20ABCD";, the call to URI::getSchemeSpecificPart() in org.apache.openejb.client.FailoverConnectionFactory::getConnection() results in the "%20" encoding being stripped & replaced with a raw space character. The subsequent call to URI.create(remainder) fails with an IllegalArgumentException on the index of the space character. It may be appropriate to change FailoverConnectionFactory to use URI::getRawSchemeSpecificPart() or else assume the "Basic " part of the header in HttpConnectionFactory. I'm not sure how that class could do anything other than basic auth in this situation since there's no facility for it to retrieve the nonce or other digest related attributes from the HTTP/401 challenge. I've locally modified this class to append the Basic part itself (IE httpURLConnection.setRequestProperty("Authorization", "Basic " + params.get("authorization"));) leaving only the base64 encoded credentials in the URL. It works fine that way with single or clustered URLs. Best regards, Zac Bedell On Jul 28, 2016, at 05:56, Romain Manni-Bucau <[email protected]<mailto:[email protected]>> wrote: Well this is not "trivial" since normally you don't do it so no worries org.apache.openejb.client.ConnectionManager.registerFactory("http", new MyConnectionFactory()); org.apache.openejb.client.ConnectionManager.registerFactory("https", new MyConnectionFactory()); Once at startup (= before any remote call). Side note: you can copy master HttpConnectionFactory to get basic support adding ?authorization=Basic%20xxxxxxxx==: https://github.com/apache/tomee/blob/master/server/openejb-client/src/main/java/org/apache/openejb/client/HttpConnectionFactory.java Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber <http://www.tomitribe.com> | JavaEE Factory <https://javaeefactory-rmannibucau.rhcloud.com> 2016-07-28 11:09 GMT+02:00 ict <[email protected]>: forgive my inexperience , how do you extend and record the client-side class? -- View this message in context: http://tomee-openejb.979440.n4.nabble.com/secure-the-tomee-ejb-path-tp4679509p4679528.html Sent from the TomEE Users mailing list archive at Nabble.com.
