You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <ji...@apache.org> on 2009/05/24 00:11:45 UTC
[jira] Created: (GERONIMO-4645) jetty7 ejb web service
authentication is turned off
jetty7 ejb web service authentication is turned off
---------------------------------------------------
Key: GERONIMO-4645
URL: https://issues.apache.org/jira/browse/GERONIMO-4645
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: Jetty
Affects Versions: 2.2
Reporter: David Jencks
Assignee: David Jencks
Fix For: 2.2
See JettyContainerImpl.addWebService.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4645) jetty7 ejb web service
authentication is turned off
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12725957#action_12725957 ]
David Jencks commented on GERONIMO-4645:
----------------------------------------
rev 790050 fixed a lot of the testsuite problems. For the remaing 2 failures I think the tests should be changed. The question is whether, if authentication is specified, whether the authentication should apply to requests for the wsdl or just attempts to use the web service. I think the attempts to access the wsdl should also require authentication.
> jetty7 ejb web service authentication is turned off
> ---------------------------------------------------
>
> Key: GERONIMO-4645
> URL: https://issues.apache.org/jira/browse/GERONIMO-4645
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Jetty
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
>
> See JettyContainerImpl.addWebService.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4645) jetty7 ejb web service
authentication is turned off
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12729563#action_12729563 ]
David Jencks commented on GERONIMO-4645:
----------------------------------------
rev 792824 gets all the testsuite jaxws-ejb-sec tests to pass for me. Basically this sets stuff up to use jacc for security.
-- uses ejb abstract name for a policyContextID (ejb still gets the policyContextID from its module)
-- uses jacc to enforce UserData constraints and whether auth is required. No role based permission checks are performed by the web transport layer, this is done only by the ejb security.
-- configuration is now done with properties in the webservice-security element. The http methods listed are ignored.
getProtiected (default true) -- whether GET requests (presumably for wsdl) are subject to transport guarantees
getSecured (default true unless authMethod NONE) whether GET requests must be authenticated.
I'm going to look into fixing up the tomcat and jetty6 ejb ws security to use the same technique.
Listing only the protected methods and letting the non-protected https methods be, well, unprotiected has the practical effect that you can work around the security constraints by using a non-standard http method. At least cxf distinguishes only between "GET" and "everything else" and pushes all the "eveything else" methods to the POST handler. Since you can't list all the http extension methods its better to just configure whether GET is secured directly.
> jetty7 ejb web service authentication is turned off
> ---------------------------------------------------
>
> Key: GERONIMO-4645
> URL: https://issues.apache.org/jira/browse/GERONIMO-4645
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Jetty
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
>
> See JettyContainerImpl.addWebService.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (GERONIMO-4645) jetty7 ejb web service
authentication is turned off
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4645?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks closed GERONIMO-4645.
----------------------------------
Resolution: Fixed
Seems to be working OK. Might want to simplify the SOAPHandler interface a bit and remove security from jetty6 or try to figure out how to use jacc there too.
> jetty7 ejb web service authentication is turned off
> ---------------------------------------------------
>
> Key: GERONIMO-4645
> URL: https://issues.apache.org/jira/browse/GERONIMO-4645
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Jetty
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
>
> See JettyContainerImpl.addWebService.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (GERONIMO-4645) jetty7 ejb web service
authentication is turned off
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4645?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks closed GERONIMO-4645.
----------------------------------
Resolution: Fixed
Reimplemented the web services security stuff in rev 789622.
Generally this uses more of built-in jetty functionality. The security stuff is handled in a SecurityHandler subclass, and the web service is called from a ServletHandler subclass. Also the security checks are done with a WebUserDataPermission object.
My guess is that it would be fairly easy to extend this to allow use of jaspi for ejb web services.
> jetty7 ejb web service authentication is turned off
> ---------------------------------------------------
>
> Key: GERONIMO-4645
> URL: https://issues.apache.org/jira/browse/GERONIMO-4645
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Jetty
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
>
> See JettyContainerImpl.addWebService.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4645) jetty7 ejb web service
authentication is turned off
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12742750#action_12742750 ]
David Jencks commented on GERONIMO-4645:
----------------------------------------
rev 803799 used the same idea of using jacc auth in jetty6, allowing us to remove transportGuarantee and protectedMethods from the SOAPHandler interface addWebService method.
> jetty7 ejb web service authentication is turned off
> ---------------------------------------------------
>
> Key: GERONIMO-4645
> URL: https://issues.apache.org/jira/browse/GERONIMO-4645
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Jetty
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
>
> See JettyContainerImpl.addWebService.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Reopened: (GERONIMO-4645) jetty7 ejb web service
authentication is turned off
Posted by "Jarek Gawor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4645?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jarek Gawor reopened GERONIMO-4645:
-----------------------------------
David,
This is still not working right. Please run testsuite/webservices-testsuite/jaxws-tests/jaxws-ejb-sec tests (have the server running and just run "mvn install" from within the jaxws-ejb-sec directory). I had to commit some additional fixes (see revision 789931) just for these tests to deploy ok.
> jetty7 ejb web service authentication is turned off
> ---------------------------------------------------
>
> Key: GERONIMO-4645
> URL: https://issues.apache.org/jira/browse/GERONIMO-4645
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Jetty
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
>
> See JettyContainerImpl.addWebService.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.