User: cgjung Date: 02/03/15 02:04:24 Modified: jboss.net/docs README.html TODO Log: security for jboss.net has finally arrived (although the corresponding testcases still need to be checked-in). Revision Changes Path 1.8 +25 -2 contrib/jboss.net/docs/README.html Index: README.html =================================================================== RCS file: /cvsroot/jboss/contrib/jboss.net/docs/README.html,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- README.html 12 Mar 2002 11:04:45 -0000 1.7 +++ README.html 15 Mar 2002 10:04:24 -0000 1.8 @@ -119,6 +119,27 @@ Support for session-based entity bean access and suitable security models is envisaged. </li> +<li class="text"> +For the called web-service to correctly behave in the JBoss container, it is required that +the calling thread (usually taken from the WebServerīs threadpool) is associated with the correct classloader , i.e., +the deployment classloader of the targetted service. For this purpose, we have fixedly installed two handlers +<code>org.jboss.net.axis.SetClassLoaderHandler</code> and +<code>org.jboss.net.axis.ResetClassLoaderHandler</code> in the serverīs http transport chain. The first handler is installed +in the requestFlow and +remembers the old classloader in the messagecontext and associated the thread with the target serviceīs deployment classloader. +The latter is installed in the responseFlow and resets the association to the old loader after a successful call. Upon failure in each flow, +both handlers are able to reset the association. +</li> + +<li class="text"> +Axis and JBoss Security models are connected via the two handlers <code>org.jboss.net.axis.server.JBossAuthenticationHandler</code> and +<code>org.jboss.net.axis.server.JBossAuthorizationHandler</code>. The first one is installed per-default in the http-transport +chain and maps the basic authentication data that has been extracted by a preceeding <code>org.apache.axis.transports.http.HTTPAuthHandler</code> +to a given JBoss security domain (as specified as a JNDI name in the handlers "securityDomain" parameter). The latter handler can +be inserted in the requestFlow of your particular Web-service to mimique a unix-style allow/denied roles authorization scheme (parameter +"securityDomain" as before, parameters "allowedRoles" and "deniedRoles" for controlling access to the +specified web service. See the servers axis-config.xml for that purpose. +</li> </ul> JBoss.net is strongly connected to features of Jboss 3.0 (Rabbit Hole) and hence, @@ -208,7 +229,8 @@ (or an equivalent address depending on the configuration of your WebContainer and the RootContext) should return the default "hello" response page of the AxisServlet. -<p class="text">When you start JBoss with the -Daxis.enableListQuery=true option, a <a href="http://localhost:8080/axis/services?list";>http://localhost:8080/axis/services?list</a> +<p class="text">When you start JBoss with the -Daxis.enableListQuery=true option (which you usually do not in a security-aware +productive environment), a <a href="http://localhost:8080/axis/services?list";>http://localhost:8080/axis/services?list</a> request should return an xml document describing the current configuration of the AxisEngine including the deployed services. The services section should look like: @@ -232,6 +254,7 @@ <handler type="java:org.apache.axis.handlers.http.URLMapper" /> <handler type="java:org.apache.axis.handlers.http.HTTPAuthHandler" /> <handler type="java:org.jboss.net.axis.SetClassLoaderHandler" /> + <handler type="java:org.jboss.net.axis.server.JBossAuthenticationHandler" /> </requestFlow> <responseFlow> <handler type="java:org.jboss.net.axis.ResetClassLoaderHandler" /> @@ -249,7 +272,7 @@ <p class="text">In the <a href="http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jboss/contrib/jboss.net/testsuite/";>JBoss.net testsuite</a>, we have assembled some samples and tests that can serve as an inspiration and source of insight. -You can build and run the testsuite against a runnign jboss server as follows +You can build and run the testsuite against a running jboss server as follows <code> <pre> 1.6 +33 -26 contrib/jboss.net/docs/TODO Index: TODO =================================================================== RCS file: /cvsroot/jboss/contrib/jboss.net/docs/TODO,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- TODO 12 Mar 2002 11:04:45 -0000 1.5 +++ TODO 15 Mar 2002 10:04:24 -0000 1.6 @@ -1,29 +1,36 @@ -DONE -- AxisService installation, WebContainer invocation. -- Axis logging configuration disabled. -- Axis extension to remember service classloader correctly. -- WSR-file structure and deployment. -- MBeanProvider for Axis. -- JMXConnector basic layout. -- javax.management.ObjectName support. -- Inclusion of .wsr as java-client into .ear, AxisService as java-client deployer in J2eeDeployer. -- Naming Environment correctly set. -- Stateless EJBProvider functionality -- Authentication propagation and security constraints for AxisServlet. -- Integration of Axis-Beta-rc1 and the new WSDD format. +<h3>DONE</h3> +<ul> +<li> AxisService installation, WebContainer invocation.</li> +<li> Axis logging configuration disabled.<li> +<li> Axis extension to remember service classloader correctly.<li> +<li> WSR-file structure and deployment.<li> +<li> MBeanProvider for Axis.<li> +<li> JMXConnector basic layout.<li> +<li> javax.management.ObjectName support.<li> +<li> Inclusion of .wsr as java-client into .ear, AxisService as java-client deployer in J2eeDeployer.<li> +<li> Naming Environment correctly set.<li> +<li> Stateless EJBProvider functionality<li> +<li> Authentication propagation and security constraints for AxisServlet.<li> +<li> Integration of Axis-Beta-rc1 and the new WSDD format.<li> +<li> JBossAuthenticationHandler and JBossAuthorizationHandlers that connect to configurable +JBoss Security Domain Manager. </li> +</ul> -TODO: -- Home methods should be also callable (stateless case). -- SecurityHandler that connects to JBoss Realm. -- MBeanProvider wsdl generation. -- JMX mappings for other complex types, e.g., javax.management.Attribute -- StatefulEJBProvider -- EntityEJBProvider (do we need that anyway?) -- Remote References via Axis/SOAP -- AxisClient deployment -- exception (de-)serialisation -- JMSTransportProvider? +<H3>TODO</h3> +<ul> +<li> Home methods should be also callable (stateless case). </li> +<li> MBeanProvider wsdl generation. </li> +<li> JMX mappings for other complex types, e.g., javax.management.Attribute </li> +<li> StatefulEJBProvider </li> +<li> EntityEJBProvider (do we need that anyway?) </li> +<li> Remote References via Axis/SOAP </li> +<li> AxisClient deployment </li> +<li> exception (de-)serialisation </li> +<li> JMSTransportProvider? </li> +</ul> -Bugs: - none currently known. +<h3>Open Bugs</h3> +<ul> +<li>none currently known.</li> +</ul>
_______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
