2 Replies Latest reply on Jul 29, 2007 12:27 PM by ike

User authorization in Web Service

ike Jul 27, 2007 3:48 AM

How to setup user authentication in a web service? I have something like:

@Stateless
@WebService(endpointInterface="com.m1.sample.core.IRoleMgrWebService")
@SecurityDomain("mydomain")
public class RoleMgrEjbWeb implements IRoleMgrWebService {
...
@AllowedRoles("role")
public void doSomething() {...}
}

The client is like that:
URL url = new URL("http://127.0.0.1:8080/RoleMgrEjbWebService/RoleMgrEjbWeb?wsdl");
QName qname = new QName("http://core.sample.m1.com/", "RoleMgrEjbWebService");

ServiceFactory factory = ServiceFactory.newInstance();
Service service = factory.createService(url, qname);

IRoleMgrWebService ws = (IRoleMgrWebService) service.getPort(IRoleMgrWebService.class);

ws.doSomething();

What should I write to pass user's credentials? I tried something like:
URL url = Thread.currentThread().getContextClassLoader().getResource("auth.conf");
System.setProperty("java.security.auth.login.config", url.toString());

javax.security.auth.login.LoginContext lh = new javax.security.auth.login.LoginContext("aloe",
new AloeLoginHandler("ike", "1"));
lh.login();

But that works only if I call EJB's not service.

Btw, is there any documentation about authentication and authorization in jboss web services?

1. Re: User authorization in Web Service

andycooper Jul 27, 2007 10:06 AM (in response to ike)

Try something like the following in your client:

((BindingProvider)port).getRequestContext().put(Stub.USERNAME_PROPERTY, "joe");
((BindingProvider)port).getRequestContext().put(Stub.PASSWORD_PROPERTY, "dweeb");

I can't recall if this only works with WS-Security ...

No, the documentation is not particularly good :-)
Actions
2. Re: User authorization in Web Service

ike Jul 29, 2007 12:27 PM (in response to ike)

It causes ClassCastException (cannot cast port to BindingProvider).
Actually, I've found another recommendation:
((Stub)port)._setProperty(Stub.USERNAME_PROPERTY, "joe");
((Stub)port)._setProperty(Stub.PASSWORD_PROPERTY, "joe");
But it doesn't work too:
javax.ejb.EJBAccessException: Authentication failure
at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.handleGeneralSecurityException(Ejb3AuthenticationInterceptor.java:68)
at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:70)
at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:106)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:214)
at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:184)
at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:174)
at org.jboss.ws.integration.jboss42.ServiceEndpointInvokerEJB3.invokeServiceEndpointInstance(ServiceEndpointInvokerEJB3.java:114)
at org.jboss.ws.core.server.AbstractServiceEndpointInvoker.invoke(AbstractServiceEndpointInvoker.java:207)
at org.jboss.ws.core.server.ServiceEndpoint.processRequest(ServiceEndpoint.java:212)
at org.jboss.ws.core.server.ServiceEndpointManager.processRequest(ServiceEndpointManager.java:448)
at org.jboss.ws.core.server.AbstractServiceEndpointServlet.doPost(AbstractServiceEndpointServlet.java:114)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at org.jboss.ws.core.server.AbstractServiceEndpointServlet.service(AbstractServiceEndpointServlet.java:75)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:595)

When I debug UserPasswordLoginModule I see that both login and password are nulls :(

Are @SecurityDomain and @RolesAllowed intended to web servicess too, not only for EJB's?
Actions

Go to original post