-
1. Re: WS4EE and AS5
15:29:39,695 WARN [MainDeployer] undeploy 'file:/home/anil/jboss-5.0/jboss-head/testsuite/output/lib/ws4ee-jbws309.jar' : package not deployed 15:29:39,695 INFO [MainDeployer] deploy, url=file:/home/anil/jboss-5.0/jboss-head/testsuite/output/lib/ws4ee-jbws309.jar 15:29:40,269 WARN [CollectionPropertyHandler] ClassInfo.getDeclaredConstructor(null) didn't work for org.jboss.metadata.ejb.spec.InterceptorClassesMetaData, found the default ctor in ClassInfo.getDeclaredConstructors() 15:29:41,231 INFO [EjbDeployer] installing bean: ejb/#BasicSecuredSLSB,uid1353625448 15:29:41,231 INFO [EjbDeployer] with dependencies: 15:29:41,231 INFO [EjbDeployer] and supplies: 15:29:41,231 INFO [EjbDeployer] jndi:ejb/BasicSecuredSLSB 15:29:41,231 INFO [EjbDeployer] installing bean: ejb/#RoleSecuredSLSB,uid644541754 15:29:41,232 INFO [EjbDeployer] with dependencies: 15:29:41,232 INFO [EjbDeployer] and supplies: 15:29:41,232 INFO [EjbDeployer] jndi:ejb/RoleSecuredSLSB 15:29:41,374 INFO [DefaultEndpointRegistry] register: jboss.ws:context=ws4ee-jbws309,endpoint=RoleSecuredSLSB 15:29:41,377 INFO [DefaultEndpointRegistry] register: jboss.ws:context=ws4ee-jbws309,endpoint=BasicSecuredSLSB 15:29:41,954 INFO [WSDLFilePublisher] WSDL published to: file:/home/anil/jboss-5.0/jboss-head/build/output/jboss-5.0.0.CR1/server/jacc/data/wsdl/ws4ee-jbws309.jar/OrganizationService.wsdl 15:29:42,134 INFO [EjbModule] Deploying BasicSecuredSLSB 15:29:42,283 INFO [EjbModule] Deploying RoleSecuredSLSB 15:29:42,443 INFO [ProxyFactory] Bound EJB Home 'BasicSecuredSLSB' to jndi 'ejb/BasicSecuredSLSB' 15:29:42,454 INFO [ProxyFactory] Bound EJB Home 'RoleSecuredSLSB' to jndi 'ejb/RoleSecuredSLSB' 15:29:42,460 INFO [TomcatDeployment] deploy, ctxPath=/ws4ee-jbws309, vfsUrl= 15:29:42,478 WARN [config] Unable to process deployment descriptor for context '/ws4ee-jbws309' 15:29:43,351 WARN [MainDeployer] undeploy 'file:/home/anil/jboss-5.0/jboss-head/testsuite/output/lib/ws4ee-jbws309-client.jar' : package not deployed 15:29:43,352 INFO [MainDeployer] deploy, url=file:/home/anil/jboss-5.0/jboss-head/testsuite/output/lib/ws4ee-jbws309-client.jar 15:29:43,564 INFO [NativeServiceRefBinderJAXRPC] setupServiceRef [jndi=ws4ee-client/env/service/BasicSecured] 15:29:43,578 INFO [NativeServiceRefBinderJAXRPC] setupServiceRef [jndi=ws4ee-client/env/service/RoleSecured] 15:29:43,581 INFO [JBossASKernel] Created KernelDeployment for: ws4ee-jbws309-client.jar 15:29:43,587 INFO [JBossASKernel] installing bean: jboss.j2ee:jar=ws4ee-jbws309-client.jar,name=ws4ee-client,service=EJB3 15:29:43,587 INFO [JBossASKernel] with dependencies: 15:29:43,587 INFO [JBossASKernel] and demands: 15:29:43,588 INFO [JBossASKernel] and supplies: 15:29:43,588 INFO [JBossASKernel] Added bean(jboss.j2ee:jar=ws4ee-jbws309-client.jar,name=ws4ee-client,service=EJB3) to KernelDeployment of: ws4ee-jbws309-client.jar 15:29:43,635 INFO [ClientENCInjectionContainer] STARTED CLIENT ENC CONTAINER: ws4ee-client 15:29:45,646 INFO [ClientENCInjectionContainer] STOPPED CLIENT ENC CONTAINER: ws4ee-client 15:29:45,703 INFO [TomcatDeployment] undeploy, ctxPath=/ws4ee-jbws309, vfsUrl= 15:29:45,731 INFO [ProxyFactory] Unbind EJB Home 'RoleSecuredSLSB' from jndi 'ejb/RoleSecuredSLSB' 15:29:45,733 INFO [EjbModule] Undeployed RoleSecuredSLSB 15:29:45,736 INFO [ProxyFactory] Unbind EJB Home 'BasicSecuredSLSB' from jndi 'ejb/BasicSecuredSLSB' 15:29:45,740 INFO [EjbModule] Undeployed BasicSecuredSLSB 15:29:45,751 INFO [DefaultEndpointRegistry] remove: jboss.ws:context=ws4ee-jbws309,endpoint=RoleSecuredSLSB 15:29:45,766 INFO [DefaultEndpointRegistry] remove: jboss.ws:context=ws4ee-jbws309,endpoint=BasicSecuredSLSB
As you can see, I am not sure if Tomcat is really deploying the ws4ee-jbws309.war properly -
2. Re: WS4EE and AS5
"anil.saldhana@jboss.com" wrote:
I see that JBossWS is trying to deploy a web application for ejb based WS. This web application would be the entry point for the WS apps.
Do you still dynamically generate the web.xml/jboss-web.xml?
Yes, we still dynamically generate web.xml/jboss-web.xml for EJB endpoints. -
3. Re: WS4EE and AS5
Is that statement really true? You generate web.xml/jboss-web.xml or you generate the JBossWebMetaData directly?
-
4. Re: WS4EE and AS5
The issue in jbossas5 is that unless the descriptor is generated before the parsing deployers execute, its not going to be used, at least properly. I think we still have duplicate descriptor parsing going on from legacy tomcat behavior, but I'm not sure since the JBAS-5144 changes.
-
5. Re: WS4EE and AS5
We generate web.xml/jboss-web.xml for JBoss AS 5 Beta 4 and we generate JBossWebMetaData for JBoss AS 5 trunk.
-
6. Re: WS4EE and AS5
I've taken a look at the failing tests (with JACC server conf). I confirm that on AS5 trunk jbossws currently generates JBossWebMetaData and attaches it to the deployment unit.
2008-08-20 12:07:01,625 DEBUG [org.jboss.web.tomcat.service.deployers.TomcatDeployer] (RMI TCP Connection(5)-127.0.0.1) Begin deploy, org.jboss.metadata.web.jboss.JBossWebMetaData@1f 2008-08-20 12:07:01,625 DEBUG [org.jboss.web.tomcat.service.deployers.TomcatDeployer] (RMI TCP Connection(5)-127.0.0.1) Unpacking war to: /home/alessio/dati/jboss-5.0-src/build/output/jboss-5.0.0.CR2/server/jacc/tmp/deploy/ws4ee-jbws309.jar23188-exp.war ... 2008-08-20 12:07:01,674 DEBUG [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (RMI TCP Connection(5)-127.0.0.1) Linked java:comp/UserTransaction to JNDI name: UserTransaction 2008-08-20 12:07:01,674 DEBUG [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (RMI TCP Connection(5)-127.0.0.1) linkSecurityDomain 2008-08-20 12:07:01,674 DEBUG [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (RMI TCP Connection(5)-127.0.0.1) Linking security/securityMgr to JNDI name: java:/jaas/JBossWS 2008-08-20 12:07:01,675 DEBUG [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (RMI TCP Connection(5)-127.0.0.1) injectionContainer enabled and processing beginning ... 2008-08-20 12:07:02,755 DEBUG [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (RMI TCP Connection(5)-127.0.0.1) Initialized: {WebApplication: /home/alessio/dati/jboss-5.0-src/build/output/jboss-5.0.0.CR2/server/jacc/tmp/deploy/ws4ee-jbws309.jar23188-exp.war/, URL: file:/home/alessio/dati/jboss-5.0-src/build/output/jboss-5.0.0.CR2/server/jacc/tmp/deploy/ws4ee-jbws309.jar23188-exp.war/, classLoader: BaseClassLoader@2abdb{vfszip:/home/alessio/dati/jboss-5.0-src/testsuite/output/lib/ws4ee-jbws309.jar}:175067} jboss.web:j2eeType=WebModule,name=//localhost/ws4ee-jbws309,J2EEApplication=none,J2EEServer=none
In the 3 failing tests the call is not authorized by the JBossAuthorizationContext, but looking at the messages that go on the wire, I see an HTTP/1.1 200 OK coming back as a reply to the POST request with the SOAP message. I think that's why an exception is not raised on client side and the tests fail with the "Security exception expected" message and the "Premature end of file" complaint. The jbossws endpoint servlet is not called.
Please note that it seems to me the ws calls are rejected in the same way even when using the right principal/credential. -
7. Re: WS4EE and AS5
Alessio is right when he says the endpoint servlet is not called. Running the tests with TRACE enabled for org.jboss.security shows us the following:
2008-08-26 14:30:19,078 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.JACCAuthorizationModule:{}required}is:[required] 2008-08-26 14:30:19,079 TRACE [org.jboss.security.authorization.modules.web.WebJACCPolicyModuleDelegate] (http-127.0.0.1-8080-1) resourceCheck=false : userDataCheck=true : roleRefCheck=false 2008-08-26 14:30:19,080 TRACE [org.jboss.security.authorization.modules.web.WebJACCPolicyModuleDelegate] (http-127.0.0.1-8080-1) hasUserDataPermission, p=(javax.security.jacc.WebUserDataPermission / POST) 2008-08-26 14:30:19,080 TRACE [org.jboss.security.jacc.ContextPolicy] (http-127.0.0.1-8080-1) No principals found in domain: ProtectionDomain null null <no principals> java.security.Permissions@1ed6d94 ( (javax.security.jacc.EJBMethodPermission RoleSecuredSLSB)[*:*()] (javax.security.jacc.EJBMethodPermission BasicSecuredSLSB)[*:*()] [RoleSecuredSLSB,role-ref=friend] ) 2008-08-26 14:30:19,080 TRACE [org.jboss.security.jacc.DelegatingPolicy] (http-127.0.0.1-8080-1) implied=false 2008-08-26 14:30:19,080 TRACE [org.jboss.security.authorization.modules.web.WebJACCPolicyModuleDelegate] (http-127.0.0.1-8080-1) Denied: (javax.security.jacc.WebUserDataPermission / POST) 2008-08-26 14:30:19,080 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-1) Error in authorize: org.jboss.security.authorization.AuthorizationException: Authorization Failed:Denied. at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:268) at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67) at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:153) at java.security.AccessController.doPrivileged(Native Method) at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:149) at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:455) at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:121) at org.jboss.security.plugins.javaee.WebAuthorizationHelper.hasUserDataPermission(WebAuthorizationHelper.java:179) at org.jboss.web.tomcat.security.JBossWebRealm.hasUserDataPermission(JBossWebRealm.java:614) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:461) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:90) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:96) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:325) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:595) 2008-08-26 14:30:19,080 TRACE [org.jboss.security.plugins.javaee.WebAuthorizationHelper] (http-127.0.0.1-8080-1) hasRole check failed:Authorization Failed:Denied.
As we can see, JBossAuthorizationContext doesn't grant access to the endpoint servlet. So, either we have an incomplete policy or we are inappropriately performing authorization checks on this servlet.
Please note that it seems to me the ws calls are rejected in the same way even when using the right principal/credential
You are probably right here. The tests would fail even when using the right authentication info because access to the endpoint servlet would be rejected anyway. -
8. Re: WS4EE and AS5
"richard.opalka@jboss.com" wrote:
We generate web.xml/jboss-web.xml for JBoss AS 5 Beta 4 and we generate JBossWebMetaData for JBoss AS 5 trunk.
JACC permissions are created based on the JBossWebMetaData. So I am suspecting that it seems to be some type of a timing issue that the WS processing (dynamic generation/metadata population) is happening after the Security Deployer that works on the metadata. -
9. Re: WS4EE and AS5
On the client side (testsuite), I see in the logs:
2008-09-08 10:49:39,078 ERROR [org.jboss.ws.core.jaxrpc.client.ServiceObjectFactoryJAXRPC] Cannot create service javax.naming.NamingException: Cannot unmarshall service ref meta data [Root exception is java.io.IOException: unknown protocol: vfszip] at org.jboss.ws.core.jaxrpc.client.ServiceObjectFactoryJAXRPC.getObjectInstance(ServiceObjectFactoryJAXRPC.java:120) at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:304) at org.jnp.interfaces.NamingContext.getObjectInstance(NamingContext.java:1315) at org.jnp.interfaces.NamingContext.getObjectInstanceWrapFailure(NamingContext.java:1332) at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:765) at org.jboss.naming.client.java.javaURLContextFactory$EncContextProxy.invoke(javaURLContextFactory.java:153) at $Proxy4.lookup(Unknown Source) at javax.naming.InitialContext.lookup(InitialContext.java:351) at org.jboss.test.webservice.jbws309.JBWS309TestCase.testRoleSecuredServiceAccess(JBWS309TestCase.java:173)
Is this exception a cause for concern?
UPDATE: I think this is probably important:InitialContext iniCtx = getClientContext(); Service service = (Service)iniCtx.lookup("java:comp/env/service/RoleSecured"); -
-
11. Re: WS4EE and AS5
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4175196 has the discussion on this.
This issue is resolved. -
12. Re: WS4EE and AS5
Please, can the JBossWS team take a look at what the issue is with JBossWS and JDK6?
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4175594 -
13. Re: WS4EE and AS5
See installation instructions for JDK 6 here:
http://jbws.dyndns.org/mediawiki/index.php?title=Installation -
14. Re: WS4EE and AS5
Updated instructions are:
Copy the following jars to ${JBOSS_HOME}/lib/endorsed from JBossWS-Dist/lib (since 3.0.2 version):
jaxb-api.jar
jbossws-native-jaxrpc.jar
jbossws-native-jaxws.jar
jbossws-native-jaxws-ext.jar
jbossws-native-saaj.jar
We're successfully testing JBossWS against JDK6 on regular basis.