Bug 1043920
Summary: | Basic security on http binding failing | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [JBoss] JBoss Fuse Service Works 6 | Reporter: | Pavel Drozd <pdrozd> | ||||||||||
Component: | SwitchYard | Assignee: | kconner | ||||||||||
Status: | CLOSED WONTFIX | QA Contact: | Jiri Sedlacek <jsedlace> | ||||||||||
Severity: | urgent | Docs Contact: | |||||||||||
Priority: | unspecified | ||||||||||||
Version: | 6.0.0 | CC: | atangrin, dlesage, oskutka, rcernich, soa-p-jira, tcunning | ||||||||||
Target Milestone: | --- | ||||||||||||
Target Release: | --- | ||||||||||||
Hardware: | Unspecified | ||||||||||||
OS: | Unspecified | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
Doc Text: |
Secured service with http binding does not require authentication header.
This causes basic security failure as the service can be requested without security.
|
Story Points: | --- | ||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2015-04-02 00:28:05 UTC | Type: | Bug | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Attachments: |
|
Description
Pavel Drozd
2013-12-17 12:55:07 UTC
Created attachment 837660 [details]
switchyard original
Created attachment 837661 [details]
switchyard ER6
Created attachment 837662 [details]
switchyard ER7
A few comments on this project: 1) If you already have your bean service defined in switchyard.xml, there's no point in using BeanScanner in your pom.xml to generate config. 2) If you really want to use BeanScanner for some reason, it's important to make sure that the config that will be generated from annotations in the bean class matches any predefined config in switchyard.xml. In this case, that means adding the componentName element to your annotation: @Service(value = CustomService.class, componentName = "Performance") What's happening at runtime here is that two instances of 'CustomService' are registered, one for each component definition in the generated switchyard.xml. The promoted service is also named 'CustomService' so it is going to match based on name and that will provide two possibilities. Deployment happens in document order, so that's likely why the first, unsecured service is being invoked with your app. Hey Kevin, I think this should be nack'd and marked as won't fix. nacking on behalf of dev given Keith's and Rob's comments |