You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Alex the Rocker (JIRA)" <ji...@apache.org> on 2012/09/21 07:46:08 UTC
[jira] [Created] (TOMEE-423) Move TomEE's transport out of the
tomee's management UI web app
Alex the Rocker created TOMEE-423:
-------------------------------------
Summary: Move TomEE's transport out of the tomee's management UI web app
Key: TOMEE-423
URL: https://issues.apache.org/jira/browse/TOMEE-423
Project: TomEE
Issue Type: Improvement
Affects Versions: 1.0.0, 1.5.0
Reporter: Alex the Rocker
As a measure of security hardening, people want to delete the application server's management UI to prevent remote access to it ; especially for app servers exposed to Internet access.
Problem with removing tomee from webapps directory is that it contains EE features such an EJB transport.
This JIRA is to request a separation of TomEE transport features from TomEE management web app ; so that this later web app can safely deleted without risking any regression for web applications run-time features.
Apache Tomcat supports with process, so it can be a showstopper for organizations considering a move from Tomcat to TomEE.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TOMEE-423) Move TomEE's transport out of the
tomee's management UI web app
Posted by "Romain Manni-Bucau (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TOMEE-423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13460417#comment-13460417 ]
Romain Manni-Bucau commented on TOMEE-423:
------------------------------------------
i'll add a doc page on the servlet but i think we can't remove it by default. Since TomEE webapp is exploded it should be a drawback. I'll have a look to add an init param activated true/false too (activated by default) which could ease it too
does it sound fine for you?
> Move TomEE's transport out of the tomee's management UI web app
> ---------------------------------------------------------------
>
> Key: TOMEE-423
> URL: https://issues.apache.org/jira/browse/TOMEE-423
> Project: TomEE
> Issue Type: Improvement
> Affects Versions: 1.0.0, 1.5.0
> Reporter: Alex the Rocker
>
> As a measure of security hardening, people want to delete the application server's management UI to prevent remote access to it ; especially for app servers exposed to Internet access.
> Problem with removing tomee from webapps directory is that it contains EE features such an EJB transport.
> This JIRA is to request a separation of TomEE transport features from TomEE management web app ; so that this later web app can safely deleted without risking any regression for web applications run-time features.
> Apache Tomcat supports with process, so it can be a showstopper for organizations considering a move from Tomcat to TomEE.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TOMEE-423) Move TomEE's transport out of the
tomee's management UI web app
Posted by "Alex the Rocker (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TOMEE-423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13460407#comment-13460407 ]
Alex the Rocker commented on TOMEE-423:
---------------------------------------
I feel confortable with the 1st option : EJB transport servlet should be documented, so that it could be activated on per case basis (and security aspect of it could be homogeneous with the one of the web app using this servlet).
Is it possible?
> Move TomEE's transport out of the tomee's management UI web app
> ---------------------------------------------------------------
>
> Key: TOMEE-423
> URL: https://issues.apache.org/jira/browse/TOMEE-423
> Project: TomEE
> Issue Type: Improvement
> Affects Versions: 1.0.0, 1.5.0
> Reporter: Alex the Rocker
>
> As a measure of security hardening, people want to delete the application server's management UI to prevent remote access to it ; especially for app servers exposed to Internet access.
> Problem with removing tomee from webapps directory is that it contains EE features such an EJB transport.
> This JIRA is to request a separation of TomEE transport features from TomEE management web app ; so that this later web app can safely deleted without risking any regression for web applications run-time features.
> Apache Tomcat supports with process, so it can be a showstopper for organizations considering a move from Tomcat to TomEE.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TOMEE-423) Move TomEE's transport out of the
tomee's management UI web app
Posted by "Romain Manni-Bucau (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TOMEE-423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13460376#comment-13460376 ]
Romain Manni-Bucau commented on TOMEE-423:
------------------------------------------
I got the idea.
First transport of remote EJBs is currently vendor dependent (typically the provider url is here for it)
Then the point is what do you expect as config? you'll need to provide a context name + a path + (if mandatory) security
The question is now what is pexected as action for this issue:
1) just document the servlet
2) create a context for transport -> please try to show us the conf you expect
3) other
Thanks!
> Move TomEE's transport out of the tomee's management UI web app
> ---------------------------------------------------------------
>
> Key: TOMEE-423
> URL: https://issues.apache.org/jira/browse/TOMEE-423
> Project: TomEE
> Issue Type: Improvement
> Affects Versions: 1.0.0, 1.5.0
> Reporter: Alex the Rocker
>
> As a measure of security hardening, people want to delete the application server's management UI to prevent remote access to it ; especially for app servers exposed to Internet access.
> Problem with removing tomee from webapps directory is that it contains EE features such an EJB transport.
> This JIRA is to request a separation of TomEE transport features from TomEE management web app ; so that this later web app can safely deleted without risking any regression for web applications run-time features.
> Apache Tomcat supports with process, so it can be a showstopper for organizations considering a move from Tomcat to TomEE.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TOMEE-423) Move TomEE's transport out of the
tomee's management UI web app
Posted by "Romain Manni-Bucau (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TOMEE-423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13460421#comment-13460421 ]
Romain Manni-Bucau commented on TOMEE-423:
------------------------------------------
here is the doc http://openejb.apache.org/ejbd-transport.html
> Move TomEE's transport out of the tomee's management UI web app
> ---------------------------------------------------------------
>
> Key: TOMEE-423
> URL: https://issues.apache.org/jira/browse/TOMEE-423
> Project: TomEE
> Issue Type: Improvement
> Affects Versions: 1.0.0, 1.5.0
> Reporter: Alex the Rocker
>
> As a measure of security hardening, people want to delete the application server's management UI to prevent remote access to it ; especially for app servers exposed to Internet access.
> Problem with removing tomee from webapps directory is that it contains EE features such an EJB transport.
> This JIRA is to request a separation of TomEE transport features from TomEE management web app ; so that this later web app can safely deleted without risking any regression for web applications run-time features.
> Apache Tomcat supports with process, so it can be a showstopper for organizations considering a move from Tomcat to TomEE.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TOMEE-423) Move TomEE's transport out of the
tomee's management UI web app
Posted by "Alex the Rocker (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TOMEE-423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13460362#comment-13460362 ]
Alex the Rocker commented on TOMEE-423:
---------------------------------------
Hi,
The expected behaviour when tomee web app is removed is that everything part of Java EE 6 (expect for admin features) works.
If EJB transport over HTTP is part of Java EE 6, then removing tomee web app (which mainly contains the admin UI) shouldn't break this feature.
Is it clearer?
> Move TomEE's transport out of the tomee's management UI web app
> ---------------------------------------------------------------
>
> Key: TOMEE-423
> URL: https://issues.apache.org/jira/browse/TOMEE-423
> Project: TomEE
> Issue Type: Improvement
> Affects Versions: 1.0.0, 1.5.0
> Reporter: Alex the Rocker
>
> As a measure of security hardening, people want to delete the application server's management UI to prevent remote access to it ; especially for app servers exposed to Internet access.
> Problem with removing tomee from webapps directory is that it contains EE features such an EJB transport.
> This JIRA is to request a separation of TomEE transport features from TomEE management web app ; so that this later web app can safely deleted without risking any regression for web applications run-time features.
> Apache Tomcat supports with process, so it can be a showstopper for organizations considering a move from Tomcat to TomEE.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TOMEE-423) Move TomEE's transport out of the
tomee's management UI web app
Posted by "Romain Manni-Bucau (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TOMEE-423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13460349#comment-13460349 ]
Romain Manni-Bucau commented on TOMEE-423:
------------------------------------------
Hi,
currently the transport is done through a servlet so all is needed is:
<servlet>
<servlet-name>ServerServlet</servlet-name>
<servlet-class>org.apache.openejb.server.httpd.ServerServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>ServerServlet</servlet-name>
<url-pattern>/ejb/*</url-pattern>
</servlet-mapping>
then use the url to /ejb as provider url.
By default i think we can't remove it (it is too common and easy) so i think we should about what you would expect removing tomee webapp, should it still work?
If yes we can add this servlet to a custom webcontext but you'll need configuration
1) context name
2) servlet path
And if you think about security
3) security on the servlet
So it sounds to me it seems easier to remove the tomee webapp then add a fake webapp with only this servlet defined in web.xml and the security you want or to add this servlet in web.xml of your own webapp
what do you think? In fact not sure what is expected once the webapp is removed, can you detail please?
> Move TomEE's transport out of the tomee's management UI web app
> ---------------------------------------------------------------
>
> Key: TOMEE-423
> URL: https://issues.apache.org/jira/browse/TOMEE-423
> Project: TomEE
> Issue Type: Improvement
> Affects Versions: 1.0.0, 1.5.0
> Reporter: Alex the Rocker
>
> As a measure of security hardening, people want to delete the application server's management UI to prevent remote access to it ; especially for app servers exposed to Internet access.
> Problem with removing tomee from webapps directory is that it contains EE features such an EJB transport.
> This JIRA is to request a separation of TomEE transport features from TomEE management web app ; so that this later web app can safely deleted without risking any regression for web applications run-time features.
> Apache Tomcat supports with process, so it can be a showstopper for organizations considering a move from Tomcat to TomEE.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira