[jboss-dev-forums] [JBoss ESB Development] - Re: EBWS Security Support

[beve]

Been thinking about this and one solution might be to:
1. In the ActionPipelineProcessor we check the actions attribute 'webservice'. If it is true we disable security in the action pipeline and don't perform any security processing. In this case we delegate security to the continer.

2. We add a 'securityDomain' attribute to the service element which would apply only when the 'webservice' attribute is true.
During deployment we use this 'securityDomain' value to set the securityDomain for the war. There is one issue here as mentioned above:
   * If there is a http_provider configured it might already have specified a security domain which we will be overriding upon deployment, it might also be
     the other way around but the effect is the same. This would throw an exception saying that the authentication domain has already been set.
     We would need to document this fact and make sure users understand that there is a single web application for every jboss-esb.xml

Downsides:
1. It might not be obvious by reading the configuration that the same security domain is used by both the http provider and the service
2. Even though you can specify a 'securityDomain' attribute for every service in your jboss-esb.xml they all have to be the same
3. Security can be by-passed by using a ServiceInvoker to call the service directly.

Another option might be to have a global configuration for the security domain that applies to whole jboss-esb.xml. This would then be used for all http providers and all services. This would be a change from what is currently there where you can have different security domains (moduleNames) for different services in your jboss-esb.xml file.

Any thoughts on this?

Regards,

/Daniel


View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4257533#4257533

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4257533