-
1. Re: Session-based web service with JBossWS?
stevecoh4 Oct 21, 2011 2:46 PM (in response to stevecoh4)Hmm, tough crowd. 38 people have looked at this and nobody's biting. Seems like I'm really swimming against the current here - again . I always seem to wind up doing that.
But truly, my use case is valid. I want to wrap a service as a web service so that more than hardwired clients can use it. There is a real need for session - consider the example of a phone call. It's not a bunch of discrete messages, it's a CONVERSATION. That's what I'm trying to implement.
Anyhoo...
One possible solution approach I've come up with is here:
In a partial deployment descriptor I can specify METHOD-level permissions. So, if this works, login can be protected, other methods not.
In exploring this, I soon bump up against my first problem. As soon as I create a partial deployment descriptor, before I even put anything in it, my web service which was successfully validating every method, now fails with this:
13:29:45,877 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
at org.jboss.security.auth.spi.Util.loadProperties(Util.java:198)
at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
...
It's no longer looking for jbossws-users.properties - now it's looking for users.properties.
So, at this point do I need to replace jbossws-users.properties with users.properties (realizing that all this eventually goes away when I hook a real LoginModule) or is there something else I can do?
Also, will the @PermitAll annotation conflict with the JBoss @WebContext.authMethod stuff?
Thanks.
-
2. Re: Session-based web service with JBossWS?
stevecoh4 Oct 21, 2011 3:14 PM (in response to stevecoh4)Uh, never mind about:
It's no longer looking for jbossws-users.properties - now it's looking for users.properties.
I had left out this:
@SecurityDomain(value = "JBossWS")
All right, onward and upward with my plan. Still wondering about the deployment descriptor stuff and if anyone can think of a reason why this shouldn't work?
-
3. Re: Session-based web service with JBossWS?
stevecoh4 Oct 21, 2011 4:40 PM (in response to stevecoh4)Hmm. not working.
I add information to the ejb-jar.xml:
{code:xml}<xmlnode prop="abc">
<assembly-descriptor> <security-role> <role-name>friend</role-name> </security-role> <method-permission> <role-name>friend</role-name> <method> <ejb-name>MyServicePortImpl</ejb-name> <method-name>login</method-name> </method> </method-permission> <method-permission> <unchecked/> <method> <ejb-name>MyServicePortImpl</ejb-name> <method-name>foo</method-name> </method> </method-permission> </assembly-descriptor> </xmlnode>{code}
But both methods are still being checked.
Perhaps I haven't named the EJB correctly? In an ejb-based web service, what is the ejb name that should be used in ejb-jar.xml?
And can someone PLEASE tell me how to avoid my pastes being turned into HTML tables?
-
4. Re: Session-based web service with JBossWS?
stevecoh4 Oct 22, 2011 12:00 PM (in response to stevecoh4)OK, I keep learning more stuff but it's not getting me where I want to be but I feel I'm getting close.
Here
http://download.oracle.com/docs/cd/E19879-01/819-3669/bnbyw/index.html
I find that the javax.annotation.security annotations can be placed on methods as well as classes. Great, that is what I was missing. Everything compiles, it's nice and clean, no ejb-xml.jar to mess with, it deploys without a hitch. Alas, it doesn't work:
package org.javactivity.ws.ejb; import javax.annotation.security.PermitAll; import javax.annotation.security.RolesAllowed; import javax.ejb.Stateless; import javax.jws.HandlerChain; import javax.jws.WebService; import javax.jws.soap.SOAPBinding; import org.jboss.ejb3.annotation.SecurityDomain; import org.jboss.wsf.spi.annotation.WebContext; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @Stateless @WebContext( contextRoot="attrsws-ejb", urlPattern="/*", authMethod = "BASIC", secureWSDLAccess = false) @SecurityDomain(value = "JBossWS") @WebService(targetNamespace = "http://org.javactivity/MyService/", portName="MyServiceSOAP", serviceName="MyService", endpointInterface="org.javactivity.ws.ejb.MyServicePort") @SOAPBinding(style = SOAPBinding.Style.DOCUMENT, parameterStyle = SOAPBinding.ParameterStyle.BARE) @HandlerChain(file = "handlers.xml") public class MyServicePortImpl implements MyServicePort { private static final Logger log = LoggerFactory.getLogger(MyServicePortImpl.class); private static int nextSession = 0; @Override @PermitAll public int foo(UserTypeType usertype, String username, String key) { nextSession++; log.debug("foo returning a value of {}", nextSession); return nextSession; } @Override @RolesAllowed("friend") public int login(UserIdentity identity) { nextSession++; log.debug("Login returning a value of {}", nextSession); return nextSession; } }
If I supply a bad password, neither method allows access. If I supply a good password, both methods allow access. The annotations are not being recognized. Must the JBossWS security domain be configured somehow and if so how?
What ELSE must I do to get these method permissions recognized by JBoss?