10 Replies Latest reply on Jan 24, 2012 7:43 PM by noelo

    ESB Web Service Authentication

    while_true

      Hello everyone,

       

      I've created a JBoss ESB web service and I'm able to invoke it through SOAP UI without any trouble.

      So I've advanced to the next step: adding authentication to the web service.

       

      In the login-config.xml file I've added the following:

       

      <application-policy name="itstesb">
        <authentication>
          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
            <module-option name="usersProperties">esb-users.properties</module-option>
            <module-option name="rolesProperties">esb-roles.properties</module-option>
          </login-module>
        </authentication>
      </application-policy>
      

       

      And in the jbossesb.xml file I've added the security component to the service in question:

       

      <service category="DummyCategory"
         description="Dummy WS speaks natively to the ESB" name="DummyWs">
         <security moduleName="itstesb" rolesAllowed="JBossAdmin" runAs="JBossAdmin">
          <property name="org.jboss.soa.esb.services.security.contextTimeout" value="10000"/>
         </security>
         <listeners>
          ...
         </listeners>
         <actions>
          ...
         </actions>
        </service>
      

       

      Into the <JBOSS_HOME>/server/default/conf/props I've created the two properties files: esb-users.properties and esb-roles.properties.

       

      esb-users.properties

       

      kermit=thefrog
      

       

      esb-roles.properties

       

      kermit=JBossAdmin
      

       

      After I've built and deployed the application, I invoked the web service through SOAP UI without filling the authentication headers and, for my surprise, it went well...

       

      Since I didn't fill the authentication headers wasn't suppose some kind of an error occur? What am I missing here?

       

      Can you please enlighten me?

       

      Grateful for your attention.

       

      Best regards

        • 1. Re: ESB Web Service Authentication
          noelo

          I think you're missing the props directory path from the filenames..change

          <application-policy name="itstesb">  <authentication>    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">      <module-option name="usersProperties">esb-users.properties</module-option>      <module-option name="rolesProperties">esb-roles.properties</module-option>    </login-module>  </authentication></application-policy>

          to

          <application-policy name="itstesb">  <authentication>    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">      <module-option name="usersProperties">props/esb-users.properties</module-option>      <module-option name="rolesProperties">props/esb-roles.properties</module-option>    </login-module>  </authentication></application-policy>

          António Ribeiro wrote:

           

          Hello everyone,

           

          I've created a JBoss ESB web service and I'm able to invoke it through SOAP UI without any trouble.

          So I've advanced to the next step: adding authentication to the web service.

           

          In the login-config.xml file I've added the following:

           

          <application-policy name="itstesb">  <authentication>    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">      <module-option name="usersProperties">esb-users.properties</module-option>      <module-option name="rolesProperties">esb-roles.properties</module-option>    </login-module>  </authentication></application-policy>

           

          And in the jbossesb.xml file I've added the security component to the service in question:

           

          <service category="DummyCategory"
             description="Dummy WS speaks natively to the ESB" name="DummyWs">   <security moduleName="itstesb" rolesAllowed="JBossAdmin" runAs="JBossAdmin">    <property name="org.jboss.soa.esb.services.security.contextTimeout" value="10000"/>   </security>   <listeners>    ...
             </listeners>   <actions>    ...
             </actions>  </service>

           

          Into the <JBOSS_HOME>/server/default/conf/props I've created the two properties files: esb-users.properties and esb-roles.properties.

           

          esb-users.properties

           

          kermit=thefrog
          

           

          esb-roles.properties

           

          kermit=JBossAdmin
          

           

          After I've built and deployed the application, I invoked the web service through SOAP UI without filling the authentication headers and, for my surprise, it went well...

           

          Since I didn't fill the authentication headers wasn't suppose some kind of an error occur? What am I missing here?

           

          Can you please enlighten me?

           

          Grateful for your attention.

           

          Best regards

          • 2. Re: ESB Web Service Authentication
            while_true

            Hey Noel,

             

            First of all thanks for the reply!

             

            I tried your suggestion and I keep being able to access the web service... It seems like JBoss ESB isn't taking into account the authentication configs!

            • 3. Re: ESB Web Service Authentication
              noelo

              Take a look at the security_basic quickstart and modify it to use your application policy.

              This should indicate if the issue is with the app policy or the client code.

               

              I just tried it here and it worked ok, throwning an exception if the auth headers were not present.

              • 4. Re: ESB Web Service Authentication
                while_true

                Noel,

                 

                I tried the security_basic quickstart example and, in fact, it does work!

                The thing is that when I try to run the same example but if, instead of using the security_basic actions, I use a web service invoking it through SOAP UI it doesn't make any validations...

                 

                Do I need to put any annotations into my web service? I really don't know what is missing here... Can I get a little help?

                 

                Grateful for your attention.

                 

                Best regards.

                • 5. Re: ESB Web Service Authentication
                  noelo

                  Hi Antonio,

                  Can you attach your esb project and I'll try it here on my machine. Have you confirmed that soap-ui is no passing any credentials.

                   

                  cheers

                  Noel

                  • 6. Re: ESB Web Service Authentication
                    while_true

                    Hey Noel,

                     

                    You can find the project in attachment. I've just modified the security_basic quickstart to receive my web service, therefore you just need to paste the folder into the ESB default security_basic and deploy it into the JBoss server.

                     

                    Grateful for your help and attention.

                     

                    Best regards.

                    • 7. Re: ESB Web Service Authentication
                      noelo

                      Hi Antonio,

                      I finally got around to looking into this and it seems that there is an issue here.

                      It seems to come down to how the WAR is deployed. If its in the ESB project then the request for credentials is ignored. however if the war is deployed separate from the ESB project then the security checked is performed and only when the credentials are presented does the request succeed.

                       

                      Can you raise a jira on this so it can be looked into.

                       

                      regards

                      Noel

                      1 of 1 people found this helpful
                      • 8. Re: ESB Web Service Authentication
                        while_true

                        Hey Noel,

                         

                        Thank you so much for your feedback! I've raised the jira issue (JBESB-3718) as you suggested and now it's just wait until they (hopefully) fix it!

                         

                        Best regards!

                        • 9. Re: ESB Web Service Authentication
                          while_true

                          Hey Noel,

                           

                          After lots of attempts, I finally got it!

                           

                          In a certain way it had to deal with what you've said about the WAR, but not the way it is deployed. The thing is that if there's a war/resources/WEB-INF folder with both web.xml and jboss-web.xml, the ESB will not take into account any credentials! Why? I don't know!

                           

                          So, instead of having with my web services a war/resources/WEB-INF folder with the respective xml endpoint configuration files, I've adopted the solution of treating all my web services as they were EJBs.

                           

                          Thank you for all your time! I'm really appreciated!

                           

                          Best regards,

                           

                          António

                          • 10. Re: ESB Web Service Authentication
                            noelo

                            Thats good news, could you add a comment to the JIRA explaining the work around or suggesting it be closed if its a non-issue now.

                             

                            cheers

                            Noel