some day I'll learn to read :-) ... that's right in jarek's quote.
thanks
david jencks
On Mar 6, 2007, at 6:45 PM, Davanum Srinivas wrote:
And the targetname is "publishEndpoint" according to the
WebServicePermission javadoc.
thanks,
-- dims
On 3/6/07, David Jencks <[EMAIL PROTECTED]> wrote:
On Mar 6, 2007, at 6:19 PM, Jarek Gawor wrote:
> For JAX-WS services we need to check/enforce the
WebServicesPermission
> while publishing JAX-WS endpoints. Here's what the JAX-WS 2.0 spec
> says (section 5.2.3):
>
> "Conformance (Checking publishEndpoint Permission): When any of the
> publish methods defined by the Endpoint class are invoked, an
> implementation MUST check whether a SecurityManager is installed
with
> the application. If it is, implementations MUST verify that the
> application has the WebServicePermission identified by the
target name
> publishEndpoint before proceeding. If the permission is not
granted,
> implementations MUST NOT publish the endpoint and they MUST throw a
> java.lang.SecurityException."
>
> So I think this is pretty clear how the check should be done and
> where. That is, using SecurityManager API and within the CXF or
Axis2
> Endpoint class when one of the publish method is called.
>
> Now, in JSR109 spec (section 5.3.3) says:
>
> "JAX-WS provides functionality for creating and publishing Web
Service
> endpoints dynamically using javax.xml.ws.Endpoint API. The use
of this
> functionality is considered non-portable in a managed
environment. It
> is required that both the Servlet and the EJB container disallow
the
> publishing of the Endpoint dynamically, by not granting the
> publishEndpoint security permission. Please refer to details on
this
> in Section 5.2 of the JAX-WS specification."
>
> So that permission needs to be enforced in G. How do I configure
> things so that this permission is enforced or what do I need to
do to
> enforce it?
>
According to the SecurityManager javadoc the default implementation
of securityManager.checkPermission is to call
AccessController.checkPermission(). So I'd suggest that if the cxf/
axis2 code was
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new WebServicePermission(targetName));
} else {
AccessController.checkPermission(new WebServicePermission
(targetName));
}
then we will have fulfilled the jaxws spec (if there is a security
manager installed we ask it's permission)
and the jsr109 spec (AccessController won't grant this permission, or
we can make our jacc implementation deny it if necessary)
and we won't have to install a security manager.
thanks
david jencks
> Thanks,
> Jarek
--
Davanum Srinivas :: http://wso2.org/ :: Oxygen for Web Services
Developers
