Details
-
Feature Request
-
Resolution: Obsolete
-
Major
-
None
-
JBossAS-4.2.2.GA
-
None
-
0
-
0%
Description
If I were to secure the http invoker in my JBoss (in accordance with documentation, by using the /invoker/restricted/JNDIFactory/ url", then I would consequently need to supply a username & password to whatever client code is going to do the JNDI lookups. However, the class org.jboss.naming.HttpNamingContextFactory doesn't do any authentication handling whatsoever. It should be examining the principal & credentials and adding the authentication header for basic auth. It does delegate to the JDK's URL handling under the hood, but that code don't support automatic authentication from the url. So for example if I were to do: http://username:password@myserver:8080/invoker/restricted/JNDIFactory then strangely enough, only the username is passed on in a header, no password.
I'm contemplating writing my own implementation of HttpNamingContextFactory which uses the efficient apache jakarta commons httpclient library instead.