[#OPENEJB-981] Specify a list of protected HTTP methods for secure web services

OpenEJB

Specify a list of protected HTTP methods for secure web services

Created: 31/Dec/08 08:10 PM Updated: 06/Jan/09 10:38 PM

Return to search

Component/s:

configuration, deployment, integration, webservices

Affects Version/s:

3.1.1

Fix Version/s:

3.1.1

Time Tracking:

Not Specified

File Attachments:

	File Name	Date Attached	Attached By	Size
	OPENEJB-981.patch	2008-12-31 08:19 PM	Jarek Gawor	4 kB

Resolution Date:

06/Jan/09 10:38 PM

Description

« Hide

For secure web services we would like to specify a list of HTTP methods that should be secured. For example, we would like to secure POST requests but leave GET requests unsecured (for WSDL access). See ~~GERONIMO-4015~~ for a bit more info.

All

Comments

Work Log

Change History

Subversion Commits

Sort Order:

[ Permlink | « Hide ]

Jarek Gawor added a comment - 31/Dec/08 08:19 PM

A patch for openejb-jee module that updates the DD types to add an optional http-method element which can be used to specify a list of HTTP methods that must be secured.
The assumption is that if there are no http-method elements in the DD all HTTP methods are automatically secured.

[ Permlink | « Hide ]

Jacek Laskowski added a comment - 06/Jan/09 03:53 PM

Why is there httpMethod not httpMethods (plural)?

[ Permlink | « Hide ]

Jarek Gawor added a comment - 06/Jan/09 04:02 PM

Because 1) you specify it as multiple elements (not a single one), for example:

<http-method>POST</http-method>
<http-method>GET</http-method>

instead of:

<http-methods>POST GET PUT</http-method>

and 2) it matches the name of the element in the web.xml schema (see http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd) which provides the same type of functionality for servlets, jsps, etc.

[ Permlink | « Hide ]

Jacek Laskowski added a comment - 06/Jan/09 10:38 PM

Patch applied in 732158. Thanks Jarek!