unimplemented bits of ejb-webservice security

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

unimplemented bits of ejb-webservice security

David Jencks
It looks like we have a couple missing bits of ejb webservice
security...

1. There's no way to force (or allow) a client to log on, although its
easy to deny them access since they didn't.

2. There's no way to let a client use a client certificate.

 From one point of view we have these problems because we aren't
deploying the ejb-ws as servlets in a web app, but rather using a
web-app-context like object registered in the web server for each
ejb-ws.  So, one possible solution for jetty would be to copy the logon
code from the security before-after into the JettyEJBWebServiceContext,
leaving out the JACC permission checks but providing custom
configuration for what is expected (i.e. login  +- various ssl options)

Anyone have any other ideas?

Should the ?wsdl queries also be subject to security?

Many thanks,
david jencks