WS: Incomplete fix for CVE-2013-2133
It was found that the fix for CVE-2013-2133 was incomplete: the JAX-WS handlers were being executed for outbound messages even when authorization had failed. A remote attacker who is authorized to access the EJB class, could invoke a JAX-WS handler which they were not authorized to invoke...