You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Rafael Thomas Goz Coutinho (JIRA)" <ji...@apache.org> on 2008/05/14 03:19:55 UTC
[jira] Created: (GERONIMO-4015) Protecting EJB based Web services
but excluding wsdl from the protection
Protecting EJB based Web services but excluding wsdl from the protection
------------------------------------------------------------------------
Key: GERONIMO-4015
URL: https://issues.apache.org/jira/browse/GERONIMO-4015
Project: Geronimo
Issue Type: New Feature
Security Level: public (Regular issues)
Components: OpenEJB
Reporter: Rafael Thomas Goz Coutinho
Priority: Minor
When we protect a Web service using HTTP Basic authentication we protect all access to that Webservice endpoint URL even to the generated WSDL.
When exposing a POJO based webservices using a Web project the usual work around is to set the http-method to only protect POST requests. So the GET to the wsdl will not be protected.
However when exposing an EJB based Webservice we can not configure that, so the wsdl is always protected for POST or GET requests.
It would be nice if we could change that...
here is a example of the EJB WS security deployment plan:
<ejb:enterprise-beans>
<ejb:session>
<ejb:ejb-name>Test</ejb:ejb-name>
<ejb:web-service-security>
<ejb:security-realm-name>
WSTest
</ejb:security-realm-name>
<ejb:transport-guarantee>NONE</ejb:transport-guarantee>
<ejb:auth-method>BASIC</ejb:auth-method>
</ejb:web-service-security>
</ejb:session>
</ejb:enterprise-beans>
No place for defining the HTTP method.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-4015) Protecting EJB based Web services
but excluding wsdl from the protection
Posted by "Jarek Gawor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4015?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jarek Gawor updated GERONIMO-4015:
----------------------------------
Component/s: webservices
Assignee: Jarek Gawor
> Protecting EJB based Web services but excluding wsdl from the protection
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4015
> URL: https://issues.apache.org/jira/browse/GERONIMO-4015
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: OpenEJB, webservices
> Reporter: Rafael Thomas Goz Coutinho
> Assignee: Jarek Gawor
> Priority: Minor
>
> When we protect a Web service using HTTP Basic authentication we protect all access to that Webservice endpoint URL even to the generated WSDL.
> When exposing a POJO based webservices using a Web project the usual work around is to set the http-method to only protect POST requests. So the GET to the wsdl will not be protected.
> However when exposing an EJB based Webservice we can not configure that, so the wsdl is always protected for POST or GET requests.
> It would be nice if we could change that...
> here is a example of the EJB WS security deployment plan:
> <ejb:enterprise-beans>
> <ejb:session>
> <ejb:ejb-name>Test</ejb:ejb-name>
> <ejb:web-service-security>
> <ejb:security-realm-name>
> WSTest
> </ejb:security-realm-name>
> <ejb:transport-guarantee>NONE</ejb:transport-guarantee>
> <ejb:auth-method>BASIC</ejb:auth-method>
> </ejb:web-service-security>
> </ejb:session>
> </ejb:enterprise-beans>
> No place for defining the HTTP method.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (GERONIMO-4015) Protecting EJB based Web services
but excluding wsdl from the protection
Posted by "Jarek Gawor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4015?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jarek Gawor resolved GERONIMO-4015.
-----------------------------------
Resolution: Fixed
Fix Version/s: 2.2
I added support for specifying a list of http methods that should be secured when invoking ejb-based web service (see revision 732217 and 732219). With that you can omit the GET method and therefore allow unsecure WSDL access. Here's an example:
{noformat}
<ejb:enterprise-beans>
<ejb:session>
<ejb:ejb-name>Test</ejb:ejb-name>
<ejb:web-service-security>
<ejb:security-realm-name>WSTest</ejb:security-realm-name>
<ejb:transport-guarantee>NONE</ejb:transport-guarantee>
<ejb:auth-method>BASIC</ejb:auth-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</ejb:web-service-security>
</ejb:session>
</ejb:enterprise-beans>
{noformat}
> Protecting EJB based Web services but excluding wsdl from the protection
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4015
> URL: https://issues.apache.org/jira/browse/GERONIMO-4015
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: OpenEJB, webservices
> Reporter: Rafael Thomas Goz Coutinho
> Assignee: Jarek Gawor
> Priority: Minor
> Fix For: 2.2
>
>
> When we protect a Web service using HTTP Basic authentication we protect all access to that Webservice endpoint URL even to the generated WSDL.
> When exposing a POJO based webservices using a Web project the usual work around is to set the http-method to only protect POST requests. So the GET to the wsdl will not be protected.
> However when exposing an EJB based Webservice we can not configure that, so the wsdl is always protected for POST or GET requests.
> It would be nice if we could change that...
> here is a example of the EJB WS security deployment plan:
> <ejb:enterprise-beans>
> <ejb:session>
> <ejb:ejb-name>Test</ejb:ejb-name>
> <ejb:web-service-security>
> <ejb:security-realm-name>
> WSTest
> </ejb:security-realm-name>
> <ejb:transport-guarantee>NONE</ejb:transport-guarantee>
> <ejb:auth-method>BASIC</ejb:auth-method>
> </ejb:web-service-security>
> </ejb:session>
> </ejb:enterprise-beans>
> No place for defining the HTTP method.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.