[jbossws-issues] [JBoss JIRA] Created: (JBWS-3212) Incomplete CONFIDENTIAL transport-guarantee detection for POJO endpoint.

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Wed Feb 9 10:46:47 EST 2011


Incomplete CONFIDENTIAL transport-guarantee detection for POJO endpoint.
------------------------------------------------------------------------

                 Key: JBWS-3212
                 URL: https://issues.jboss.org/browse/JBWS-3212
             Project: JBoss Web Services
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: jbossws-native
    Affects Versions: jbossws-native-3.4.1
            Reporter: Darran Lofthouse
            Assignee: Darran Lofthouse
             Fix For: jbossws-native-4.0


Take an endpoint with a servlet-mapping similar to: -

<servlet-mapping>
<servlet-name>PhoneBook</servlet-name>
<url-pattern>/PB</url-pattern>
</servlet-mapping>

If the transport-guarantee is defined as: -

<security-constraint>
<web-resource-collection>
<web-resource-name>CONFIDENTIAL</web-resource-name>
<url-pattern>/PB</url-pattern>

<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

JBossWS will detect this correctly and place a https address in the WSDL.

However if the url-pattern is changed to: -

<url-pattern>/PB/*</url-pattern>

JBoss Web will still enforce the transport-guarantee for the call JBossWS will not detect this and will present a wsdl with a http address.


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


More information about the jbossws-issues mailing list