5 Replies Latest reply on Oct 11, 2006 6:40 PM by thomas.diesler

    WS 181 and my own security module - call problems

    zbigi

      Hi,
      I run my simple 181 (deployed as JAR file) WS on 4.0.4.GA.

      package com.amadeus.adp.aproach.websrvc.access.internal;
      
      import java.rmi.RemoteException;
      import javax.ejb.Stateless;
      import javax.jws.WebMethod;
      import javax.jws.WebService;
      import javax.jws.soap.SOAPBinding;
      
      //import org.jboss.annotation.security.SecurityDomain;
      import org.jboss.ws.annotation.PortComponent;
      
      @WebService(
       name = "AproachAmadeus"
       , serviceName = "AproachAmadeusService"
       , targetNamespace = "urn:com.amadeus.aproachws"
       )
      @SOAPBinding(style = SOAPBinding.Style.RPC)
      
      @Stateless
      //@SecurityDomain("aproach_security")
      public class AproachAmadeusWS implements AproachAmadeus
      {
       @WebMethod
       public String getName() throws RemoteException {
       return "My name is: " + this.getClass().getName();
       }
      }
      


      I can run my client using stubs (dynamic call works as well)

       private static boolean stubsCall()
       {
       URL url = null;
       try {
       url = new URL(TARGET_ENDPOINT_ADDRESS + "?wsdl");
       } catch (MalformedURLException e) {
       e.printStackTrace();
       return false;
       }
      
       QName qname = new QName(TARGET_NAMESPACE, SERVICE_NAME);
       ServiceFactory factory;
       try {
       factory = ServiceFactory.newInstance();
       Service service = factory.createService(url, qname);
      
       Stub stub = (Stub) service.getPort(AproachAmadeus.class);
       stub._setProperty(Stub.USERNAME_PROPERTY, "myuser");
       stub._setProperty(Stub.PASSWORD_PROPERTY, "mypass");
      
       logger.info("USERNAME: " + stub._getProperty(Stub.USERNAME_PROPERTY));
       logger.info("PASSWORD: " + stub._getProperty(Stub.PASSWORD_PROPERTY));
      
       AproachAmadeus aproach = (AproachAmadeus) stub;
       logger.info(" RESULT: " + aproach.getName());
      
       } catch (ServiceException e) {
       e.printStackTrace();
       return false;
       } catch (RemoteException e) {
       e.printStackTrace();
       return false;
       }
       logger.debug("stubsCall FINISHED");
       return true;
       }
      


      This works very well when no SecurityDomain is defined.

      However when I uncomment @SecurityDomain("aproach_security")
      I cannot call my service anymore.

      My own login module is properly defined (other WEB applications use it) in login-config.xml.
      On server side I can see my own login module is called, but it doesn't receive usernam and password at all.

      Did you have similar problems?
      JBossWS Tutorial shows how to setup security using SSL, but I need my own login module to authenticate users in more sophisticated way.

      And yet another question: how to call dynamically my service with username and password specification?
      AXIS Call object has routines for setting those parameters...

      Please comment.
      Zbigniew

        • 1. Re: WS 181 and my own security module - call problems
          georgesberscheid

          Hi,

          I have a similar situation than the one described above.

          @Stateless
          @Remote(Test.class)
          @WebService
          @SOAPBinding(style = SOAPBinding.Style.RPC)
          @SecurityDomain("java:/jaas/MyDomain")
          public class TestService implements Test {
          
           @WebMethod
           public String test() {
           return "test";
           }
          }
          


          I'm trying to protect my 181 SLSB WS by HTTP BASIC authentication but using my custom login module.
          If I use the @SecurityDomain("MyDomain") annotation with MyDomain as defined in login-config.xml, each client call to any of the @WebMethod methods causes the following exception:
          16:01:07,478 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
          java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
           at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
           at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
          


          However, the MyDomain configuration does not include a reference to the UsersRolesLoginModule. Also, the login() method in MyLoginModule (as defined in MyDomain in login-config.xml) is never called.
          So I feel like it's not actually using MyDomain as security domain, but something else instead (JBossWS)?

          Any ideas?
          Thanks,

          Georges

          • 2. Re: WS 181 and my own security module - call problems
            thomas.diesler
            • 3. Re: WS 181 and my own security module - call problems
              georgesberscheid

              The feature request says that @SecurityDomain is already supported for EJB endpoints. In the example above I am using an EJB endpoint, but it's still not using the right security domain.
              What would be a work-around? Using a deployment descriptor?

              • 4. Re: WS 181 and my own security module - call problems
                cboatwright

                The only way I got this to work is to package my own WAR with a web.xml and jboss-web.xml with the correct security nodes in each. The auto-generated WAR that JBossWS created for EJB3 endpoints doesn't seem to create anything other than the servlet and servlet-mapping nodes in the web.xml file. You need to also have the security-constraint, login-config, and [I think] security-role nodes in the web.xml file too. When I created by own (basically empty) WAR with that information, my EJB3 endpoints had the Principal object and handled role checking (via the @RolesAllowed annotation). Perhaps something along these lines will solve your problem.

                I haven't reported this as a bug because I'm new to JBossWS and hope that someone tells me the correct annotation to use in order for the generated WAR file that JBossWS creates to have all the security nodes as well.

                • 5. Re: WS 181 and my own security module - call problems
                  thomas.diesler

                  The samples use an ejb endpoint like this

                  // standard JSR181 annotations
                  @WebService(name = "EndpointInterface", targetNamespace = "http://org.jboss.ws/samples/jsr181ejb", serviceName = "TestService")
                  @SOAPBinding(style = SOAPBinding.Style.RPC)
                  
                  // standard EJB3 annotations
                  @Remote(EJB3RemoteInterface.class)
                  @RolesAllowed("friend")
                  @Stateless
                  
                  // jboss propriatary annotations
                  @RemoteBinding(jndiBinding = "/ejb3/EJB3EndpointInterface")
                  @PortComponent(authMethod="BASIC", transportGuarantee="NONE", configName="Standard WSSecurity Endpoint")
                  @SecurityDomain("JBossWS")
                  public class EJB3Bean01 implements EJB3RemoteInterface
                  {
                   @WebMethod
                   public String echo(String input)
                   {
                   return input;
                   }
                  }
                  


                  Is this not equivalent to your use case?