I just spent about 5 painful hours working through various combinations or tags, looking at the JBoss wiki, and eventually the source code for JBossAuthenticationHandler and the contents of jboss-net_ejb_xml.xdt in the xdoclet-module-jboss-net.jar that I have.

Turns out that my xdoclet-module-jboss-net.jar does NOT understand the "validate-unauthenticated-calls" tag. The default in the JBossAuthenticationHandler is "false". According to notes in the source code, one would set "validateUnauthenticatedCalls" to "true" to handle clients that cannot (or won't) pre-authenticate.

Note: there is a page at:
http://www.jboss.org/developers/guides/jboss.net/security that says just the opposite and states to set "validateUnauthenticatedCalls" to "false". This doesn't agree with the comments in the source code ..... this cost me must frustration and hair loss.


So, to get to the point, you'll need to manually edit the "requestFlow" section of your "web-service.xml". You might start with the version that xdoclet generates and then fix up the "requestFlow" section similar to the following:

 <requestFlow name="MyRequest">
 <!-- authentication runs against the jaas:/other domain -->
 <handler type="java:org.jboss.net.axis.server.JBossAuthenticationHandler">
 <parameter name="securityDomain" value="java:/jaas/other"/>
 <parameter name="validateUnauthenticatedCalls" value="true"/>
 </handler>
 <!-- authorization runs against the jaas:/other domain -->
 <handler type="java:org.jboss.net.axis.server.JBossAuthorizationHandler">
 <parameter name="securityDomain" value="java:/jaas/other"/>
 <parameter name="allowedRoles" value="myrole"/>
 </handler>
 </requestFlow>

I've run several tests with .Net and Perl SOAP::Lite clients and this works for me. Forget about using "this.PreAuthenticate = true;" in your .Net proxy class. It might pre-authenticate subsequent webservice calls (haven't tested that), but it will NOT pre-authenticate the first call. I've even seen posts on .Net sites about forcibly adding an authenticate header - but from my tests, .Net will silently remove any attempt to do that.

Hope this helps,
Lance

Hi there

I get the following error message when I try to run this test program in JBoss 4.0.0DR4 ->
"The request failed with HTTP status 401: Unauthorized."

The example works well in JBoss 3.2.3

Is there something that can be done about this ?? Has something changed in 4.0 or is this just an error that will be fixed in the final release ??

cheers
matt


Extract from the WebService Session Bean

/**
 * @ejb.bean name = "HelloWorld"
 * description = "simple HelloWorld Bean"
 * display-name = "HelloWorld EJB"
 * view-type = "remote"
 * jndi-name = "ejb/jbossnet/HelloWorld"
 *
 * @jboss-net.authentication domain="other"
 * validate-unauthenticated-calls="true"
 *
 * @jboss-net.authorization domain="other"
 * roles-allowed="normal,extended"
 *
 *
 * @jboss-net.web-service urn="HelloWorldEJB"
 */

public class HelloWorldBean implements SessionBean {

 /**
 *
 */
 public HelloWorldBean() {
 super();
 }

 /**
 * Default create Exception
 * @throws CreateException
 * @ejb.create-method
 */
 public void ejbCreate() throws CreateException{
 }

 /**
 * HelloBean method
 * @param name
 * @return
 *
 * @jboss-net.web-method
 * @jboss-net.wsdd-operation
 * @ejb.permission role-name = "normal"
 * @ejb.interface-method view-type = "remote"
 */
 public String HelloBean(String name){
 return "Hello " + name;
 }

users.properties

admin=adminpwd

roles.properties

admin=normal,extended

web-service.xml

<requestFlow name="HelloWorldEJBRequest">
 <handler type="java:org.jboss.net.axis.server.JBossAuthenticationHandler">
 <parameter name="securityDomain" value="java:/jaas/other"/>
 <parameter name="validateUnauthenticatedCalls" value="true"/>
 </handler>
 <handler type="java:org.jboss.net.axis.server.JBossAuthorizationHandler">
 <parameter name="securityDomain" value="java:/jaas/other"/>
 <parameter name="allowedRoles" value="normal,extended"/>
 </handler>
 </requestFlow>
 <responseFlow name="HelloWorldEJBResponse">
 </responseFlow>

c# client

private void button_Click(object sender, EventArgs e)
 {
 localhost.HelloWorldService hws = new localhost.HelloWorldService();
 hws.PreAuthenticate = true;
 NetworkCredential login = new NetworkCredential("admin", "adminpwd");
 CredentialCache cache = new CredentialCache();
 cache.Add(new Uri(hws.Url), "Basic", login);
 hws.Credentials = cache;

 textBox.Text = hws.HelloBean("Test");
 }

IMHO the problem with .NET is, that the PreAuthenicate Method doesn't work as expected. The first call
is done without Authorization - Header, only subsequent calls get the right header.

But you can workaround this easily with a little subclassing:

using System;

public class MyWebService : your.original.WebService {
 protected override System.Net.WebRequest GetWebRequest(Uri uri) {
 System.Net.HttpWebRequest request = (System.Net.HttpWebRequest)base.GetWebRequest(uri);
 if (this.PreAuthenticate) {
 System.Net.NetworkCredential nc = this.Credentials.GetCredential(uri,"Basic");
 if (nc != null) {
 byte[] credBuf = new System.Text.UTF8Encoding().GetBytes(nc.UserName + ":" + nc.Password);
 request.Headers["Authorization"] = "Basic " + Convert.ToBase64String(credBuf);
 }
 }
 return request;
 }
}

class TestClient {
 public static void Main(string[] args) {
 MyWebService stub = new MyWebService();
 stub.Credentials = new System.Net.NetworkCredential("admin","secret");
 stub.PreAuthenticate = true;
 Console.WriteLine("Call hello: " + stub.hello("MyName"));
 }
}

I hope this little C# example helps you and others too.

BTW: This was explained nicely on http://www.nsdev.org/jboss/stories/jboss-net.html, but this
site seems down. Sad :-(