It looks like we have a couple missing bits of ejb webservice
1. There's no way to force (or allow) a client to log on, although its
easy to deny them access since they didn't.
2. There's no way to let a client use a client certificate.
From one point of view we have these problems because we aren't
deploying the ejb-ws as servlets in a web app, but rather using a
web-app-context like object registered in the web server for each
ejb-ws. So, one possible solution for jetty would be to copy the logon
code from the security before-after into the JettyEJBWebServiceContext,
leaving out the JACC permission checks but providing custom
configuration for what is expected (i.e. login +- various ssl options)
Anyone have any other ideas?
Should the ?wsdl queries also be subject to security?