tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zachary Bedell <zbed...@nycourts.gov>
Subject Re: secure the tomee/ejb path
Date Wed, 05 Oct 2016 21:03:05 GMT
I just added a comment to the Github commit on this, but wanted to reference it here in case
anyone finds this email thread.

https://github.com/apache/tomee/commit/7edb1be6a17efb05a5ca37ff2919abd2a0aabe25


This approach causes problems with clustered connections.

If using a clustered URL like "failover:sticky+random:https://1.2.3.4:8443/ejb/invoke?authorization=Basic%20ABCD,https://1.2.3.5:8443/ejb/invoke?authorization=Basic%20ABCD",
the call to URI::getSchemeSpecificPart() in org.apache.openejb.client.FailoverConnectionFactory::getConnection()
results in the "%20" encoding being stripped & replaced with a raw space character. The
subsequent call to URI.create(remainder) fails with an IllegalArgumentException on the index
of the space character.

It may be appropriate to change FailoverConnectionFactory to use URI::getRawSchemeSpecificPart()
or else assume the "Basic " part of the header in HttpConnectionFactory. I'm not sure how
that class could do anything other than basic auth in this situation since there's no facility
for it to retrieve the nonce or other digest related attributes from the HTTP/401 challenge.

I've locally modified this class to append the Basic part itself (IE httpURLConnection.setRequestProperty("Authorization",
"Basic " + params.get("authorization"));) leaving only the base64 encoded credentials in the
URL. It works fine that way with single or clustered URLs.

Best regards,
Zac Bedell

On Jul 28, 2016, at 05:56, Romain Manni-Bucau <rmannibucau@gmail.com<mailto:rmannibucau@gmail.com>>
wrote:

Well this is not "trivial" since normally you don't do it so no worries

org.apache.openejb.client.ConnectionManager.registerFactory("http", new
MyConnectionFactory());
org.apache.openejb.client.ConnectionManager.registerFactory("https", new
MyConnectionFactory());

Once at startup (= before any remote call).

Side note: you can copy master HttpConnectionFactory to get basic support
adding ?authorization=Basic%20xxxxxxxx==:
https://github.com/apache/tomee/blob/master/server/openejb-client/src/main/java/org/apache/openejb/client/HttpConnectionFactory.java

Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2016-07-28 11:09 GMT+02:00 ict <ict.management.trexon@gmail.com>:

forgive my inexperience , how do you extend and record the client-side
class?



--
View this message in context:
http://tomee-openejb.979440.n4.nabble.com/secure-the-tomee-ejb-path-tp4679509p4679528.html
Sent from the TomEE Users mailing list archive at Nabble.com.



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message