tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Romain Manni-Bucau <rmannibu...@gmail.com>
Subject Re: secure the tomee/ejb path
Date Wed, 05 Oct 2016 21:27:41 GMT
2016-10-05 23:03 GMT+02:00 Zachary Bedell <zbedell@nycourts.gov>:

> I just added a comment to the Github commit on this, but wanted to
> reference it here in case anyone finds this email thread.
>
> https://github.com/apache/tomee/commit/7edb1be6a17efb05a5ca37ff2919ab
> d2a0aabe25
>
>
> This approach causes problems with clustered connections.
>
> If using a clustered URL like "failover:sticky+random:https:
> //1.2.3.4:8443/ejb/invoke?authorization=Basic%20ABCD,
> https://1.2.3.5:8443/ejb/invoke?authorization=Basic%20ABCD", the call to
> URI::getSchemeSpecificPart() in org.apache.openejb.client.
> FailoverConnectionFactory::getConnection() results in the "%20" encoding
> being stripped & replaced with a raw space character. The subsequent call
> to URI.create(remainder) fails with an IllegalArgumentException on the
> index of the space character.
>
> It may be appropriate to change FailoverConnectionFactory to use
> URI::getRawSchemeSpecificPart() or else assume the "Basic " part of the
> header in HttpConnectionFactory. I'm not sure how that class could do
> anything other than basic auth in this situation since there's no facility
> for it to retrieve the nonce or other digest related attributes from the
> HTTP/401 challenge.
>
>
used getRawSchemeSpecificPart

you can use OAuth2 with current implementation for instance so not really
motivated to hardcode Basic.


> I've locally modified this class to append the Basic part itself (IE
> httpURLConnection.setRequestProperty("Authorization", "Basic " +
> params.get("authorization"));) leaving only the base64 encoded credentials
> in the URL. It works fine that way with single or clustered URLs.
>
>
Only works cause base64 encoding will not add spaces or other URL forbidden
character but another token policy can so think the fix was really in
failover factory.


> Best regards,
> Zac Bedell
>
> On Jul 28, 2016, at 05:56, Romain Manni-Bucau <rmannibucau@gmail.com
> <mailto:rmannibucau@gmail.com>> wrote:
>
> Well this is not "trivial" since normally you don't do it so no worries
>
> org.apache.openejb.client.ConnectionManager.registerFactory("http", new
> MyConnectionFactory());
> org.apache.openejb.client.ConnectionManager.registerFactory("https", new
> MyConnectionFactory());
>
> Once at startup (= before any remote call).
>
> Side note: you can copy master HttpConnectionFactory to get basic support
> adding ?authorization=Basic%20xxxxxxxx==:
> https://github.com/apache/tomee/blob/master/server/
> openejb-client/src/main/java/org/apache/openejb/client/
> HttpConnectionFactory.java
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/
> rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com> | JavaEE Factory
> <https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2016-07-28 11:09 GMT+02:00 ict <ict.management.trexon@gmail.com>:
>
> forgive my inexperience , how do you extend and record the client-side
> class?
>
>
>
> --
> View this message in context:
> http://tomee-openejb.979440.n4.nabble.com/secure-the-tomee-ejb-path-
> tp4679509p4679528.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message