Hi guys, Just a quite summary of last fixes we worked on with Jonathan regarding the security for ejbd/http client:
- we already have authorization parameter in the provider url for months (years now?). This was not removed from the url so the user needed to exclude some url from the access log if it was a security concern, this is now done/safe - we added basic.username and basic.password as shortcut for basic auth which are just alimenting authorization header - we can now customize the authorization header (authorizationHeader param) All there url query parameters are stipped before doing the actual http request for the reason mentionned in the first point. Another nice feature is the ability to cipher the properties passed to the initial context either in a custom manner giving the context a JNDIContext.Decipher implementation or relying on tomee ciphering (like for resources) if your client is in tomee. David pointed out if you mix it with multicast you will pass in clear the url value between instances. I think it is good enough cause multicast is not that used and only safe in a secured (firewalled) DMZ anyway. Worse case we could cipher the urls as well in the multicasting. wdyt? Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <https://blog-rmannibucau.rhcloud.com> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory <https://javaeefactory-rmannibucau.rhcloud.com>
