Issue Details (XML | Word | Printable)

Key: OPENEJB-981
Type: Improvement Improvement
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Jarek Gawor
Reporter: Jarek Gawor
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
OpenEJB

Specify a list of protected HTTP methods for secure web services

Created: 31/Dec/08 08:10 PM   Updated: 06/Jan/09 10:38 PM
Return to search
Component/s: configuration, deployment, integration, webservices
Affects Version/s: 3.1.1
Fix Version/s: 3.1.1

Time Tracking:
Not Specified

File Attachments:
  File Name Date Attached Attached By Size
Text File Licensed for inclusion in ASF works OPENEJB-981.patch 2008-12-31 08:19 PM Jarek Gawor 4 kB

Resolution Date: 06/Jan/09 10:38 PM


 Description  « Hide
For secure web services we would like to specify a list of HTTP methods that should be secured. For example, we would like to secure POST requests but leave GET requests unsecured (for WSDL access). See GERONIMO-4015 for a bit more info.

 All   Comments   Work Log   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Jarek Gawor added a comment - 31/Dec/08 08:19 PM
A patch for openejb-jee module that updates the DD types to add an optional http-method element which can be used to specify a list of HTTP methods that must be secured.
The assumption is that if there are no http-method elements in the DD all HTTP methods are automatically secured.


Jarek Gawor made changes - 31/Dec/08 08:19 PM
Field Original Value New Value
Attachment OPENEJB-981.patch [ 12396982 ]
Jacek Laskowski made changes - 06/Jan/09 03:53 PM
Assignee Jacek Laskowski [ jlaskowski ]
[ Permlink | « Hide ]
Jacek Laskowski added a comment - 06/Jan/09 03:53 PM
Why is there httpMethod not httpMethods (plural)?

[ Permlink | « Hide ]
Jarek Gawor added a comment - 06/Jan/09 04:02 PM
Because 1) you specify it as multiple elements (not a single one), for example:

<http-method>POST</http-method>
<http-method>GET</http-method>

instead of:

<http-methods>POST GET PUT</http-method>

and 2) it matches the name of the element in the web.xml schema (see http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd) which provides the same type of functionality for servlets, jsps, etc.



Repository Revision Date User Message
ASF #732158 Tue Jan 06 22:37:23 UTC 2009 jlaskowski OPENEJB-981 Specify a list of protected HTTP methods for secure web services
Files Changed
MODIFY /openejb/trunk/openejb3/container/openejb-jee/src/main/java/org/apache/openejb/jee/oejb2/WebServiceSecurityType.java
MODIFY /openejb/trunk/openejb3/container/openejb-jee/src/main/java/org/apache/openejb/jee/oejb2/WebServiceBindingType.java

[ Permlink | « Hide ]
Jacek Laskowski added a comment - 06/Jan/09 10:38 PM
Patch applied in 732158. Thanks Jarek!

Jacek Laskowski made changes - 06/Jan/09 10:38 PM
Resolution Fixed [ 1 ]
Fix Version/s 3.1.1 [ 12313484 ]
Assignee Jacek Laskowski [ jlaskowski ] Jarek Gawor [ gawor@mcs.anl.gov ]
Status Open [ 1 ] Resolved [ 5 ]

Powered by a free Atlassian JIRA open source license for Apache Software Foundation. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators