7 Replies Latest reply: Apr 16, 2012 2:42 AM by Richard Opalka RSS

    JBoss not honoring @PermitAll on EJB3 Endpoint

    abhi0123 Newbie

      I have an EJB3 WebService Endpoint secured using @DeclareRoles and @RolesAllowed. It is packaged as an war, with deployment descriptors jboss-ejb3.xml and jboss-webservices.xml. When I invoke a method marked @PermitAll from the standalone client, it fails with 401 response. The method invocation is successful when credentials are provided. Problem is, credentials should not be required for a method marked @PermitAll.

       

      I have intentionally omitted the handler code for brevity. If someone wants to see, I'll provide in a follow up post.

       

      TimeService.java


      @Stateless
      @WebService(name = "Time", serviceName = "TimeService", portName = "TimeServicePort")
      @HandlerChain(file = "handler-chain.xml")
      @DeclareRoles({ "AppUser" })
      public class TimeService {
      
        @WebMethod
        @PermitAll
                public Time getCurrentTime() {
                          return new Time();
                }
      
        /* HttpBasicAuthenticationHandler authenticates this request */
        @WebMethod
                public Time getCurrentTimeAfterHttpBasicAuthentication() {
                          return getCurrentTime();
                }
      
        @WebMethod
        @RolesAllowed("AppUser")
                public Time getCurrentTimeAfterDeclarativeRoleBasedAuthorization() {
                          return getCurrentTime();
                }
      }
      

       

       

       

      handler-chain.xml (located in the same directory as the WebService Endpoint above)

       

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <javaee:handler-chains xmlns:javaee="http://java.sun.com/xml/ns/javaee"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <javaee:handler-chain>
        <javaee:handler>
                                    <javaee:handler-class>edu.certification.abhijitsarkar.ocewsd.jaxws.utility.handler.SOAPRequestHandler
        </javaee:handler-class>
        </javaee:handler>
        <javaee:handler>
                                    <javaee:handler-class>edu.certification.abhijitsarkar.ocewsd.jaxws.ejb.webservice.handler.HttpBasicAuthenticationHandler
        </javaee:handler-class>
        </javaee:handler>
        <javaee:handler>
                                    <javaee:handler-class>edu.certification.abhijitsarkar.ocewsd.jaxws.ejb.webservice.handler.ProgrammaticAuthenticationHandler
        </javaee:handler-class>
        </javaee:handler>
        </javaee:handler-chain>
      </javaee:handler-chains>
      

       

       

      jboss-ejb3.xml

       

      <?xml version="1.1" encoding="UTF-8"?>
      <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
        xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:c="urn:clustering:1.0"
        xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"
        version="3.1" impl-version="2.0">
        <assembly-descriptor xmlns="http://java.sun.com/xml/ns/javaee">
        <security:security xmlns:security="urn:security">
        <!-- domain name set up in JBoss $JBOSS_HOME/standalone/configuration/standalone.xml -->
        <security:security-domain>other</security:security-domain>
        <ejb-name>TimeService</ejb-name>
        </security:security>
        </assembly-descriptor>
      </jboss:ejb-jar>
      

       

       

      jboss-webservices.xml

       

      <webservices xmlns="http://www.jboss.com/xml/ns/javaee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.0"
        xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss_webservices_1_0.xsd">
        <context-root>/jaxws-ejb-1.0</context-root>
        <port-component>
        <ejb-name>TimeService</ejb-name>
        <port-component-uri>/TimeService</port-component-uri>
        <auth-method>BASIC</auth-method>
        <transport-guarantee>NONE</transport-guarantee>
        <secure-wsdl-access>false</secure-wsdl-access>
        </port-component>
      </webservices>
      

       

       

      Client.java

       

      public class Client {
      
                public Time_Type getCurrentTime(String soapAction) {
                          Time time = getPort();
                          BindingProvider bp = (BindingProvider) time;
                          // commenting out the credentials throws following error
                              // bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "user");
                          // bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "password");
                          setSoapAction(soapAction, bp);
                          return time.getCurrentTime();
                }
      }
      

       

       

      Stacktrace

       

      com.sun.xml.ws.client.ClientTransportException: The server sent HTTP status code 401: Unauthorized
                at com.sun.xml.ws.transport.http.client.HttpTransportPipe.checkStatusCode(HttpTransportPipe.java:321)
                at com.sun.xml.ws.transport.http.client.HttpTransportPipe.createResponsePacket(HttpTransportPipe.java:270)
                at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:228)
                at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:143)
                at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:110)
                at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
                at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
                at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
                at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)
                at com.sun.xml.ws.client.Stub.process(Stub.java:429)
                at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:168)
                at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
                at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:102)
                at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151)
                at $Proxy30.getCurrentTime(Unknown Source)
                at edu.certification.abhijitsarkar.ocewsd.jaxws.ejb.webservice.client.Client.getCurrentTime(Client.java:29)
                at edu.certification.abhijitsarkar.ocewsd.jaxws.ejb.webservice.client.ClientTest.testGetCurrentTime(ClientTest.java:17)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                at java.lang.reflect.Method.invoke(Method.java:597)
                at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:45)
                at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)
                at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:42)
                at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20)
                at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:263)
                at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:68)
                at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:47)
                at org.junit.runners.ParentRunner$3.run(ParentRunner.java:231)
                at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:60)
                at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:229)
                at org.junit.runners.ParentRunner.access$000(ParentRunner.java:50)
                at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:222)
                at org.junit.runners.ParentRunner.run(ParentRunner.java:300)
                at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
                at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
                at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
                at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
                at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
                at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
      

       

       

      application-users.properties

       

      Abhijit$ tail -5 application-users.properties

      1. is for illustration only and does not correspond to a usable password.

      #

      #admin=2a0923285184943425d1f53ddd58ec7a

      user=8544a03c79aee5b1c99458d83ee0f9e0

      guest=1bb6b7c18b5c1dab17f5141fa398905a

       

       

       

      application-roles.properties

       

      Abhijit$ tail -5 application-roles.properties

      #

      #admin=PowerUser,BillingAdmin,

      #guest=guest

      user=AppUser

      guest=AppGuest