-
1. Re: JSR-181 POJO and JAAS
fheldt Jun 7, 2006 5:30 AM (in response to juergen.zimmermann)I'm running into the same problem at the moment. I put an extra @PortComponent Annotation to the Sessionbean, but that doesn't fix it either.
@Stateless @WebService( name="MyService", serviceName="MyService" ) @SOAPBinding( style=SOAPBinding.Style.RPC, use=SOAPBinding.Use.LITERAL ) @PortComponent(authMethod="BASIC") @SecurityDomain("myRealm") @RolesAllowed({"Admin", "Operator", "User"}) public class WebServiceEJB implements WebServiceIf { ... }
Any hints would by nice :-)
JSR181 rulez !!! -
2. Re: JSR-181 POJO and JAAS
thomas.diesler Jun 7, 2006 11:03 AM (in response to juergen.zimmermann)@PortComponent only applies to EJB endpoints
You secure an JSR181 JSE endpoint like any other jboss webapp in web.xml & jboss-web.xml -
3. Re: JSR-181 POJO and JAAS
juergen.zimmermann Jun 8, 2006 1:07 AM (in response to juergen.zimmermann)Thomas, are you saying that the methods of a JSR-181 POJO can be restricted in the same way as a SessionBean, e.g. using @SecurityDomain and @RolesAllowed?
My problem is that a JSR-181 POJO invokes a SessionBean being restricted with @RolesAllowed. Basically I'm doing the following in my JSR-181 POJO:HskaCallbackHandler handler = new HskaCallbackHandler(username, password.toCharArray()); loginCtx = new LoginContext(loginCtxName, handler); loginCtx.login(); Set<Principal> principals = loginCtx.getSubject().getPrincipals(); for (Principal p: principals) { log.info("PRINCIPAL: " + p); } sb.deleteKundeById(id); // invoke the restricted method of a session bean
The log file shows:PRINCIPAL: Roles(members:mitarbeiter,admin)
However, when I invoke the restricted SessionBean's method I get this exception:Insufficient permissions, principal=null, requiredRoles=[admin], principalRoles=[]
-
4. Re: JSR-181 POJO and JAAS
fheldt Jun 8, 2006 4:54 AM (in response to juergen.zimmermann)Thomas, thanks for your reply, i didn't know that fact.
But: my sample is a EJB Endpoint, so the question remains: Why does it not work? -
5. Re: JSR-181 POJO and JAAS
juergen.zimmermann Jun 8, 2006 6:54 AM (in response to juergen.zimmermann)Pls. open a separate thread for your issue. I don't see any advantage in mixing EJB endpoints with POJO endpoints.
-
6. Re: JSR-181 POJO and JAAS
thomas.diesler Jun 12, 2006 12:37 AM (in response to juergen.zimmermann)fheldt: This is fixed in jbossws-1.0.1
Juergen:
Thomas, are you saying that the methods of a JSR-181 POJO can be restricted in the same way as a SessionBean, e.g. using @SecurityDomain and @RolesAllowed?
No, I am saying you add security to your web.xml and specify the security domain in jboss-web.xml