You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by "Romain Manni-Bucau (JIRA)" <ji...@apache.org> on 2016/11/22 17:43:58 UTC

[jira] [Commented] (TOMEE-1974) Allow TomEE ejbd HTTP Servlet to be protected by basic auth

    [ https://issues.apache.org/jira/browse/TOMEE-1974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15687379#comment-15687379 ] 

Romain Manni-Bucau commented on TOMEE-1974:
-------------------------------------------

the client config kind of compete with existing one of tomee 7 (authorization header to not limit to basic specific case) so would likely be better to align on tomee 7 instead of introducing a new mecanism for a version no more selected for current developments.

> Allow TomEE ejbd HTTP Servlet to be protected by basic auth
> -----------------------------------------------------------
>
>                 Key: TOMEE-1974
>                 URL: https://issues.apache.org/jira/browse/TOMEE-1974
>             Project: TomEE
>          Issue Type: New Feature
>          Components: TomEE Core Server
>    Affects Versions: 1.7.5
>            Reporter: Jonathan S Fisher
>            Priority: Minor
>
> TomEE offers ejbd over http. This is great for a number of reasons, but it could go further by protecting the endpoint with http basic auth. This would harden the server, and it would have prevented the bug involving deserialization unknown classes, because authentication would have to happen before the underlying protocol was deserialized.
> Pull request here: https://github.com/apache/tomee/pull/52



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)