5 Replies Latest reply on Oct 25, 2007 4:54 AM by ejb3workshop

UsernameToken and Basic Auth

jgilbert Nov 21, 2006 1:18 PM

I have succesfully setup a webservice to use BASIC auth:

@PortComponent(authMethod = "BASIC")

And I have sucessfully setup a webservice to use UsernameToken:

<config>
 <username/>
 </config>

But I can not get both to work together. Does this same like a reasonable requirement? It is a little redundant, but it looks like the only way to get complete security. Because just using UsernameToken doesn't look like it invokes a JAAS login module on the server side. It just sets up the SecurityAssociation.

I'll create an issue in jira if anyone thinks this is a bug.

1. Re: UsernameToken and Basic Auth

ejb3workshop Oct 24, 2007 11:00 AM (in response to jgilbert)

Could you please explain how you set up Username Token Authentication. In which file does this XML go ?
Actions
2. Re: UsernameToken and Basic Auth

jgilbert Oct 24, 2007 5:39 PM (in response to jgilbert)

jboss-wsse-server.xml
Actions
3. Re: UsernameToken and Basic Auth

asoldano Oct 25, 2007 3:38 AM (in response to jgilbert)

http://jbws.dyndns.org/mediawiki/index.php?title=JAX-WS_User_Guide#Server_side_WSSE_declaration_.28jboss-wsse-server.xml.29
Actions

4. Re: UsernameToken and Basic Auth

ejb3workshop Oct 25, 2007 4:44 AM (in response to jgilbert)

Thanks this worked. Added the xml file below to my EJB3 jar file resolved my problem.

<?xml version="1.0" encoding="UTF-8"?>
<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
 <config>
 <username/>
 </config>
</jboss-ws-security>

5. Re: UsernameToken and Basic Auth

ejb3workshop Oct 25, 2007 4:54 AM (in response to jgilbert)
I have specified the loginModule to use via @SecurityDomain(value="THZone") in my bean. I have also configured the login module in login-config.xml as shown below. I am not able to log in and authenticate, but the roles are not passed through. Where can I configure how the roles are obtained.

@RolesAllowed("friends")

or

System.out.println("Principal is a friend :"+context.isUserInRole("friends"));

Currently don't seem to work. I also tried to implement my own login module return my own implementations of Principal and had the same problem as using the org.jboss.security.auth.spi.UsersRolesLoginModule on. The results are that the principal is passed through and accessible through the context, but the roles are not.
Actions

Go to original post