[jboss-cvs] JBossAS SVN: r88993 - in projects/docs/enterprise/4.3.5: readme/en-US and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon May 18 01:10:02 EDT 2009
Author: irooskov at redhat.com
Date: 2009-05-18 01:10:00 -0400 (Mon, 18 May 2009)
New Revision: 88993
Modified:
projects/docs/enterprise/4.3.5/Server_Configuration_Guide/en-US/Web_Services.xml
projects/docs/enterprise/4.3.5/readme/en-US/Release_Notes_CP05.xml
Log:
updated release notes with new JIRA and Server Config Guide with JBPAPP-2011 fix
Modified: projects/docs/enterprise/4.3.5/Server_Configuration_Guide/en-US/Web_Services.xml
===================================================================
--- projects/docs/enterprise/4.3.5/Server_Configuration_Guide/en-US/Web_Services.xml 2009-05-18 04:30:32 UTC (rev 88992)
+++ projects/docs/enterprise/4.3.5/Server_Configuration_Guide/en-US/Web_Services.xml 2009-05-18 05:10:00 UTC (rev 88993)
@@ -346,7 +346,76 @@
Note, Service.Mode.PAYLOAD is the default and does not have to be declared explicitly. You can also use Service.Mode.MESSAGE to access the entire SOAP message (i.e. with MESSAGE the Provider can also see SOAP Headers)
</para>
</section>
-
+ <section id="Server_Configuration_Guide-Web_Services-POJO_Endpoint_Authentication_and_Authorization">
+ <title>POJO Endpoint Authentication and Authorization</title>
+ <para>
+ In general the credentials obtained by WS-Security are only used for EJB endpoints or for POJO endpoints when they make a call to another secured resource, it is now possible to enable authentication and authorization checking for POJO endpoints. (This should not be enabled for EJB based endpoints as the EJB container will still take care of the security requirements of the deployed bean).
+ </para>
+ <important>
+ <para>
+ These instructions assume WS-Security has already been enabled, these instructions describe the additional configuration required to enable authentication and authorization for POJO endpoints.
+ </para>
+ </important>
+ <para>
+ The <filename>.war</filename> containing the POJO endpoint needs to have a security domain defined, this is achieved by defining a <property>security-domain</property> in the <filename>jboss-web</filename> deployment descriptor within the <filename>WEB-INF</filename> folder.
+ </para>
+<programlisting>
+<jboss-web>
+ <security-domain>java:/jaas/JBossWS</security-domain>
+</jboss-web>
+</programlisting>
+ <para>
+ The remainder of the configuration to enable authentication and authorization is undertaken within the <filename>jboss-wsse-server.xml</filename> deployment descriptor.
+ </para>
+ <para>
+ To enable the POJO authentication and authorization a new <property>authorization</property> element needs to be added to the appropriate <property>config</property> element within the descriptor.
+ </para>
+<programlisting>
+<jboss-ws-security>
+ <config>
+ <authorize>
+ <!-- Must contain either <unchecked/> or one or more <role>RoleName</role> definitions. -->
+ </authorize>
+ </config>
+</jboss-ws-security>
+</programlisting>
+ <para>
+ The <property>config</property> element can be defined globally and be port specific or even operation specific.
+ </para>
+ <para>
+ The authorize element must contain either the <property>unchecked</property> element or one or more <property>RoleName</property> role elements.
+ </para>
+<programlisting>
+<jboss-ws-security>
+ <config>
+ <authorize>
+ <unchecked/>
+ </authorize>
+ </config>
+</jboss-ws-security>
+</programlisting>
+ <para>
+ The above example has the <property>unchecked</property> element defined, this means that the authentication step will be performed to validate the users username and credential but no further role checking will take place. If the users username and credential are invalid then the request will be rejected otherwise the request will be allowed to proceed.
+ </para>
+<programlisting>
+<jboss-ws-security>
+ <config>
+ <authorize>
+ <role>friend</role>
+ <role>family</role>
+ </authorize>
+ </config>
+</jboss-ws-security>
+</programlisting>
+ <para>
+ This second example has two roles defined, as before the user will be authenticated using their username and credential and they will then be checked to ensure that they have been assigned at least one of the roles of <property>friend</property> or <property>family</property>.
+ </para>
+ <note>
+ <para>
+ Authentication and authorization will still proceed even if no username and password or certificate was provided in the request message. In this scenario authentication may proceed if the login module of the security domain has been configured with an anonymous identity.
+ </para>
+ </note>
+ </section>
<section id="Server_Configuration_Guide-Web_Services-WebServiceContext">
<title>WebServiceContext</title>
<para>
Modified: projects/docs/enterprise/4.3.5/readme/en-US/Release_Notes_CP05.xml
===================================================================
--- projects/docs/enterprise/4.3.5/readme/en-US/Release_Notes_CP05.xml 2009-05-18 04:30:32 UTC (rev 88992)
+++ projects/docs/enterprise/4.3.5/readme/en-US/Release_Notes_CP05.xml 2009-05-18 05:10:00 UTC (rev 88993)
@@ -363,7 +363,7 @@
<para>
Following is a list of issues fixed in this release:
</para>
- <formalpara>
+ <!-- <formalpara>
<title>JBoss Messaging</title>
<para>
<itemizedlist>
@@ -374,7 +374,7 @@
</listitem>
</itemizedlist>
</para>
- </formalpara>
+ </formalpara> -->
<formalpara>
<title>JBoss Cache</title>
<para>
@@ -392,7 +392,7 @@
</itemizedlist>
</para>
</formalpara>
- <formalpara>
+ <!-- <formalpara>
<title>JBoss Remoting</title>
<para>
<itemizedlist>
@@ -403,7 +403,7 @@
</listitem>
</itemizedlist>
</para>
- </formalpara>
+ </formalpara> -->
<formalpara>
<title>JBoss Web</title>
<para>
@@ -422,13 +422,75 @@
<itemizedlist>
<listitem>
<para>
- <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-829">JBPAPP-829</ulink>:
+ <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-829">JBPAPP-829</ulink>: Authentication and authorization needed to be added for POJO endpoints where credentials are supplied using Web Services Security. In order to rectify this issue the following list of files were updated or added as specified:
</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <filename>ReceiveUsernameOperation.java</filename> was updated with the removal of the operations for the <classname>Logger</classname> to aquire information about the <varname>username</varname> and <varname>password</varname> of the current <varname>user</varname> variable value.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>WSSecurityOMFactory.java</filename> was updated with new methods for parsing characters and elements as well as the public method <methodname>setValue</methodname> which passes a <varname>value</varname> to the <methodname>role.setName</methodname> method and a test if authorization is necessary for the current <varname>localName</varname>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>Config.java</filename> has been updated to include a private <varname>Authorize</varname> class as well as the public methods <methodname>getAuthorize()</methodname> and <methodname>setAuthorize()</methodname>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>AuthorizeOperation.java</filename> has been added to authenticate and check the authorisation of the current user.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>SecurityDecoder.java</filename> has been updated to also use the new classes <classname>Authorize</classname> and <classname>AuthorizeOperation</classname>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>ClientImpl.java</filename> has been updated to include a value of <property>false</property> as the last property of the new <classname>HandlerChainExecutor</classname> being created.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>HandlerChainExecutor.java</filename> has been updated in order to determine specific client side conformance requirements.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>Role.java</filename> has been added in order to provide a role in the program which is authorized to call an endpoint.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>Authorize.java</filename> has been added in order to ensure that a user is authorized to call the endpoint.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>WSSecurityDispatcher.java</filename> has been updated to remove the <classname>SecurityStore</classname> creater and now include private methods to decode the header and test authorization.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>DispatchImpl.java</filename> has been updated to include a value of <property>false</property> as the last property of the new <classname>HandlerChainExecutor</classname> being created.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>HandlerDelegateJAXWS.java</filename> has been updated to include a value of <property>false</property> as the last property of the new <classname>HandlerChainExecutor</classname> being created.
+ </para>
+ </listitem>
+ </itemizedlist>
</listitem>
</itemizedlist>
</para>
</formalpara>
- <formalpara>
+ <!-- <formalpara>
<title>JBoss Seam</title>
<para>
<itemizedlist>
@@ -439,7 +501,7 @@
</listitem>
</itemizedlist>
</para>
- </formalpara>
+ </formalpara> -->
<formalpara>
<title>JBoss Hibernate</title>
<para>
@@ -490,9 +552,8 @@
</listitem>
<listitem>
<para>
- <para>
- <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1081">JBPAPP-1081</ulink>: In the Entity Manager documentation it is stated that table aliases are supported in <code>update</code> clauses, however using table alias' in an update query causes a program failure. In order to correct this the <filename>QueryTest.java</filename> file has been updated with the removal for the allowance of table alias'.
- </para>
+ <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1081">JBPAPP-1081</ulink>: In the Entity Manager documentation it is stated that table aliases are supported in <code>update</code> clauses, however using table alias' in an update query causes a program failure. In order to correct this the <filename>QueryTest.java</filename> file has been updated with the removal for the allowance of table alias'.
+ </para>
</listitem>
<!-- <listitem>
<para>
@@ -534,7 +595,7 @@
</itemizedlist>
</para>
</formalpara>
- <formalpara>
+ <!-- <formalpara>
<title>Security Issues</title>
<para>
<itemizedlist>
@@ -545,13 +606,18 @@
</listitem>
</itemizedlist>
</para>
- </formalpara>
+ </formalpara> -->
<formalpara>
<title>Documentation</title>
<para>
<itemizedlist>
<listitem>
<para>
+ <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-2011">JBPAPP-2011</ulink>: Documentation which explains how to achieve POJO Endpoint authentication in this latest CP release, has been incorporated into the <filename>Server Configuaration Guide</filename>. This information can be found in section <emphasis>10.13. POJO Endpoint Authentication and Authorization</emphasis>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
<ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1782">JBPAPP-1782</ulink>: Chapter 7.2 named <emphasis>Adjusting memory settings</emphasis> within the <filename>Installation Guide</filename>, stated that a user should modify the <filename>run.conf</filename> file in order to increase the avaliable memory to the program. This however is incorrect when running the JBoss Enterprise Application Platform on a Windows operating system. In this case the <filename>run.bat</filename> file should be modified and the documentation now reflects this difference.
</para>
</listitem>
More information about the jboss-cvs-commits
mailing list