7 Replies Latest reply on Sep 19, 2007 10:34 AM by richard_opalka

Secure Webservice

iorlas May 16, 2007 6:38 AM

Hi!

I am using JBoss-4.0.5.GA and have implemented a Webservice using
annotations. The Webservice is protected by a SecurityDomain.

To access the webservice I have looked at the examples from the jbossws samples for jbossws-1.2.1.GA and tried to followed it as much as possible. Obvioulsy something isn't correct since I get a Authentication Failure even though I passes the correct username and password. The client code:

System.setProperty(Provider.JAXWSPROVIDER_PROPERTY, "org.jboss.ws.core.jaxws.spi.ProviderImpl");


 URL wsdlURL = new URL(WSDL_LOCATION);
 Service service = Service.create(wsdlURL, SERVICE_NAME);
 WebServiceEndPoint endPoint = null;

 endPoint = (WebServiceEndPoint) service.getPort(WebServiceEndPoint.class);

 BindingProvider bp = (BindingProvider) endPoint;
 bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "test");
 bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "test");

 String result = (String) endPoint.test("Gurka");
 System.out.println("The Server response is: " + result);

I am stomped what I am doing wrong? I have pointed the JBossWS security domain to the correct database with a configuration that I know works for my EJBs.

Is the error on the client or the server side?

1. Re: Secure Webservice

heiko.braun May 16, 2007 7:07 AM (in response to iorlas)

What do the endpoint bean and interface look like?
Actions

2. Re: Secure Webservice

iorlas May 18, 2007 12:53 AM (in response to iorlas)

I have tried a few different version, the latest look like this:

@WebService(name = "WebServiceEndPoint", targetNamespace = "http://se.pilotfish/fairfleet/ws",
 serviceName = "WebServiceTest")
@SOAPBinding(style= SOAPBinding.Style.RPC)
@WebContext(contextRoot = "/service", urlPattern = "/*", authMethod = "BASIC",
 transportGuarantee = "NONE", secureWSDLAccess = false)

@SecurityDomain("fleet-database")
@Stateless
public class WebServiceTestBean implements WebServiceTest {

 @WebMethod
 @WebResult(name = "result")
 public String test(@WebParam(name = "input") String input) {
 return "WebService:" + input;
 }

}

@Remote
public interface WebServiceTest {

 public String test(String input);

}

3. Re: Secure Webservice

sgarelle Aug 28, 2007 12:55 PM (in response to iorlas)
Hi,

I am facing exactly the same problem... So, what's the solution?

I am using JBoss_4_2_1_GA.

On client side, I also use the request context to set the user name and password:
CmiEndPoint proxy = (CmiEndPoint) service.getPort(CmiEndPoint.class); BindingProvider bp = (BindingProvider) proxy; Map<String, Object> reqCtxt = bp.getRequestContext(); reqCtxt.put(BindingProvider.USERNAME_PROPERTY, user); reqCtxt.put(BindingProvider.PASSWORD_PROPERTY, password); proxy.execCmd("Do this command");

On server side, the WebService is simply declared with the "@WebService" annotation. A security-domain is defined in jboss.xml. Users are defined.

The command failed because of an authentification failure:
javax.xml.ws.soap.SOAPFaultException: Authentication failure

The same user/password used for a RMI client calling directly the underlying stateless session bean works.
The same WS client with security disabled on server works.
Actions

4. Re: Secure Webservice

rbellia Sep 6, 2007 11:41 AM (in response to iorlas)

I have the same probelm with JBoss AS 4.2.1 ...

The endpoint:

@Stateless @WebService
@RolesAllowed({"clerk"})
public class CalculatorBean implements CalculatorRemote, CalculatorLocal {

 @Resource SessionContext sessionCtx;

 public Integer sum(Integer a, Integer b) {
 System.out.println("who is it ? " + sessionCtx.getCallerPrincipal());
 return a + b;
 }

}

The client:

 CalculatorBeanService service = new CalculatorBeanService();
 CalculatorBean port = service.getCalculatorBeanPort();
 BindingProvider bp = (BindingProvider) port;
 bp.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, "http://localhost:8080/CalculatorBeanService/CalculatorBean");
 bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "user1");
 bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "password1");

 // TODO initialize WS operation arguments here
 java.lang.Integer result = port.sum(4002, 450);
 System.out.println("Result = "+result);

The exception:

javax.xml.ws.soap.SOAPFaultException: Authorization failure

The security domain works fine if I use a remote EJB client.

5. Re: Secure Webservice

thomas.diesler Sep 19, 2007 12:19 AM (in response to iorlas)

Please start from a working sample that we distribute and tell us what modification stopped things working
Actions
6. Re: Secure Webservice

iorlas Sep 19, 2007 8:15 AM (in response to iorlas)

This was some time ago, so where I started is not a little bit foggy. But everything worked fine for me up to the point where I protected the webservice with a SecurityDomain. Sadly I cannot post the example code that I started with.
Actions
7. Re: Secure Webservice

richard_opalka Sep 19, 2007 10:34 AM (in response to iorlas)

If you have turned on the SecurityDomain then you must investigate what SecurityManager prohibits you to do and set up the rights correctly so JBossWS stack can work properly.
Actions

Go to original post