Been thinking about this and one solution might be to:
1. In the ActionPipelineProcessor we check the actions attribute 'webservice'. If
it is true we disable security in the action pipeline and don't perform any security
processing. In this case we delegate security to the continer.
2. We add a 'securityDomain' attribute to the service element which would apply
only when the 'webservice' attribute is true.
During deployment we use this 'securityDomain' value to set the securityDomain for
the war. There is one issue here as mentioned above:
* If there is a http_provider configured it might already have specified a security
domain which we will be overriding upon deployment, it might also be
the other way around but the effect is the same. This would throw an exception saying
that the authentication domain has already been set.
We would need to document this fact and make sure users understand that there is a
single web application for every jboss-esb.xml
Downsides:
1. It might not be obvious by reading the configuration that the same security domain is
used by both the http provider and the service
2. Even though you can specify a 'securityDomain' attribute for every service in
your jboss-esb.xml they all have to be the same
3. Security can be by-passed by using a ServiceInvoker to call the service directly.
Another option might be to have a global configuration for the security domain that
applies to whole jboss-esb.xml. This would then be used for all http providers and all
services. This would be a change from what is currently there where you can have different
security domains (moduleNames) for different services in your jboss-esb.xml file.
Any thoughts on this?
Regards,
/Daniel
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4257533#...
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...