11 Replies Latest reply on Nov 30, 2014 10:22 PM by jaikiran

    How to disable authentication for JAX-WS web service

    richyclarke

      Hi,

      I am building a JSF2.2 application running on wildfly 8.1 and is configured to use JAAS security.

      The application also uses ejb entity beans and  Hibernate JPA.

       

      My security configuration is all working fine until I add the webservices module in Standalone XML.

       

      I have defined my login module (a custom SaltedDatabaseServerLoginModule) which authenticates against my MySQL database.

      My Security domain is configured in standalone.xml like so;

       

      
      <security-domain name="searchpointRealm">
                          <authentication>
                              <login-module code="de.rtner.security.auth.spi.SaltedDatabaseServerLoginModule" flag="required" module="de.rtner.security">
                                  <module-option name="dsJndiName" value="java:jboss/datasources/searchpointDS"/>
                                  <module-option name="principalsQuery" value="select hashedpassword from users where username = ?"/>
                                  <module-option name="rolesQuery" value="select r.name,'Roles' from role r, userrole ur, users u where u.username=? and u.userid = ur.userid and ur.roleid = r.roleid"/>
                                  <module-option name="hmacAlgorithm" value="HMacSHA256"/>
                                  <module-option name="formatter" value="de.rtner.security.auth.spi.PBKDF2HexFormatter"/>
                                  <module-option name="engine" value="de.rtner.security.auth.spi.PBKDF2Engine"/>
                                  <module-option name="engine-parameters" value="de.rtner.security.auth.spi.PBKDF2Parameters"/>
                                  <module-option name="unauthenticatedIdentity" value="guest"/>
                              </login-module>
                          </authentication>
                      </security-domain>
      
      
      

       

      ...and specified in jboss-web.xml.

       

      
      <jboss-web>
        <context-root>/searchpoint</context-root>
        <security-
      domain>java:/jaas/searchpointRealm</security-domain>
      </jboss-web>
      
      

       

      Finally my login-config, security roles and security constraints are all defined in web.xml

       

      
      <security-constraint>
              <display-name>Lifecycle Security Constraint</display-name>
              <web-resource-collection>
                  <web-resource-name>Lifecycle Area</web-resource-name>
                  <url-pattern>/application/lifecycle/*</url-pattern>
                  <http-method>DELETE</http-method>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
                  <http-method>PUT</http-method>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>customer</role-name>
                  <role-name>superuser</role-name>
              </auth-constraint>
              <user-data-constraint>
                  <transport-guarantee>NONE</transport-guarantee>
              </user-data-constraint>
          </security-constraint>
      
          <security-constraint>
              <display-name>Supplier Security Constraint</display-name>
              <web-resource-collection>
                  <web-resource-name>Supplier Area</web-resource-name>
                  <url-pattern>/application/supplier/*</url-pattern>
                  <http-method>DELETE</http-method>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
                  <http-method>PUT</http-method>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>supplier</role-name>
                  <role-name>superuser</role-name>
              </auth-constraint>
              <user-data-constraint>
                  <transport-guarantee>NONE</transport-guarantee>
              </user-data-constraint>
          </security-constraint>
      
          <security-constraint>
              <display-name>Customer Security Constraint</display-name>
              <web-resource-collection>
                  <web-resource-name>Customer Area</web-resource-name>
                  <url-pattern>/application/admin/*</url-pattern>
                  <http-method>DELETE</http-method>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
                  <http-method>PUT</http-method>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>customer</role-name>
                  <role-name>superuser</role-name>
              </auth-constraint>
              <user-data-constraint>
                  <transport-guarantee>NONE</transport-guarantee>
              </user-data-constraint>
          </security-constraint>
      
          <security-constraint>
              <display-name>Superuser Security Constraint</display-name>
              <web-resource-collection>
                  <web-resource-name>Superuser Area</web-resource-name>
                  <url-pattern>/application/superuser/*</url-pattern>
                  <http-method>DELETE</http-method>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
                  <http-method>PUT</http-method>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>superuser</role-name>
              </auth-constraint>
              <user-data-constraint>
                  <transport-guarantee>NONE</transport-guarantee>
              </user-data-constraint>
          </security-constraint>
      
          <login-config>
              <auth-method>FORM</auth-method>
              <realm-name>searchpointRealm</realm-name>
              <form-login-config>
                  <form-login-page>/loginPage.xhtml</form-login-page>
                  <form-error-page>/errorpages/error.xhtml</form-error-page>
              </form-login-config>
          </login-config>
      
          <security-role>
              <description> A Customer user </description>
              <role-name>customer</role-name>
          </security-role>
          <security-role>
              <description> A Customer user </description>
              <role-name>supplier</role-name>
          </security-role>
          <security-role>
              <description> A Superuser user </description>
              <role-name>superuser</role-name>
          </security-role>
      
          <security-role>
              <description> A Superuser user </description>
              <role-name>accounts</role-name>
          </security-role>
      
      

       

      All of this is fairly standard JAAS configuration and works well my web based logins.

       

      I now want to add a JAX-WS web service but do not want to use any form of authentication on the web service.

      The Web service method calls some common methods used by the JSF web pages which use Hibernate lazy loading.

      I have therefore annotated the web service with @Stateless. Without this I suffer from Lazy-loading exceptions as there is no session.

       

      
      @WebService(serviceName = "Quote", portName = "QuoteSoap", targetNamespace = "http://www.searchpoint.co.uk/v1/QuoteSend")
      @Stateless
      @SecurityDomain("searchpointRealm")
      @WebContext(contextRoot = "/searchpoint", urlPattern = "/Quote")
      public class Quote {
      .....
      @WebMethod(operationName = "RequestQuote")
          public String requestQuote(@WebParam(name = "xml") String xml) {
                .....
           // methods in here that require a hibernate session to prevent lazy loading exceptions
           // These methods call some common methods used by other JSF web pages.
           }
      }
      
      
      

       

      The problem is that when I enable the web services module in standalone.xml, and try to use the @Stateless annotation on my webservice, my previously configured security configuration is not used.

       

      Without the webservices module enabled, or without the @Stateless annotation, the JAAS login works perfectly well, but adding the webservices module (even a completely empty one) and using the @Stateless annotation on my web service class, the security domain configuration is ignored and the RemotingLoginModule and the RealmDirectLoginModules are used instead (see below), so I can no longer login.

       

      I have used trace logging on org.jboss.security and can see that the configured SaltedDatabaseServerLoginModule is not being used...

       

      With the webservices module active, the trace log shows the following login modules;

       

      
      [0]
      LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule
      ControlFlag: LoginModuleControlFlag: optional
      Options:
      name=password-stacking, value=useFirstPass
      [1]
      LoginModule Class: org.jboss.as.security.RealmDirectLoginModule
      ControlFlag: LoginModuleControlFlag: required
      Options:
      name=password-stacking, value=useFirstPass
      
      

       

      Without the webservices module enabled, the trace log shows the correct SaltedDatabaseServerLoginModule;

       

      
      [0]
      LoginModule Class: de.rtner.security.auth.spi.SaltedDatabaseServerLoginModule
      ControlFlag: LoginModuleControlFlag: required
      Options:
      name=formatter, value=de.rtner.security.auth.spi.PBKDF2HexFormatter
      name=engine-parameters, value=de.rtner.security.auth.spi.PBKDF2Parameters
      name=engine, value=de.rtner.security.auth.spi.PBKDF2Engine
      name=principalsQuery, value=select hashedpassword from users where username = ?
      name=hmacAlgorithm, value=HMacSHA256
      name=dsJndiName, value=java:jboss/datasources/searchpointDS
      name=rolesQuery, value=select r.name,'Roles' from role r, userrole ur, users u where u.username=? and u.userid = ur.userid and ur.roleid = r.roleid
      
      

       

      I can workaround this by adding the security domain  the annotation @SecurityDomain("searchpointRealm") to the web service, to force it to use the same security domain as the rest of my application, but this is not what I want. I want to be able to call this web service without authentication.

       

      Can anybody help with this please?

      Thanks

      Rich

       

      Message was edited by: Richard Clarke

        • 1. Re: How to disable authentication for JAX-WS web service
          jaikiran

          What exactly do you mean by webservice module enabled? Do you mean the webservice subsystem in the standalone*.xml/domain*.xml file?

          1 of 1 people found this helpful
          • 2. Re: Re: How to disable authentication for JAX-WS web service
            richyclarke

            Jaikiran,

            Firstly, thanks for responding, I am still struggling with this.

             

            Yes, when I say webservice module enabled, I mean when I add the following to standalone.xml;

             

            In the extensions section...

             

            <extension module="org.jboss.as.webservices"/>
            
            
            

             

            And in the 'profile' section...

             

            <subsystem xmlns="urn:jboss:domain:webservices:1.2">
                        <modify-wsdl-address>true</modify-wsdl-address>
                        <wsdl-host>www.searchpoint.co.uk</wsdl-host>
                        <wsdl-port>80</wsdl-port>
                        <endpoint-config name="Standard-Endpoint-Config"/>
                        <endpoint-config name="Recording-Endpoint-Config">
                            <pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
                                <handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
                            </pre-handler-chain>
                        </endpoint-config>
                        <client-config name="Standard-Client-Config"/>
                    </subsystem>
            
            
            

             

            When I add these sections, the normal web login I have specified in the security domain section is ignored. Without these 2 entries, the web login process works as I expect it to, but if I add these sections, the login module I specify (SaltedDatabaseServerLoginModule) is not being used.

            Everything above works as expected if I remove the @Stateless annotation on my web service, but I need this as I am using Hibernate and am suffering from lazy initialization exceptions due to there being no Hibernate Session without the @Stateless annotation.

             

            As I mentioned, if I specify the the security domain for the web service with the annotation @SecurityDomain("searchpointRealm"), then the correct login module is used for both the web service and normal web page logins and works perfectly, but this is not what I need.

            Without this annotation, the web service is unauthenticated (which is what I need), but the web logins then seem to invoke the RemotingLoginModule and/or the RealmDirectLoginModule.

             

            I have also tried configuring a standard database login module instead of the SaltedDatabaseServerLoginModule but this doesn't help, the result is still the same.

             

            Just to re-iterate, I need the web login process to use the SaltedDatabaseServerLoginModule, but the web service to be unauthenticated, whilst retaining the ability to use Hibernate lazy loading within the web service method.

             

            Hope this is clear, and thanks again for the assistance.

            Rich

            • 3. Re: How to disable authentication for JAX-WS web service
              jaikiran

              How exactly is your application packaged? Is the webservice part of the .war file (the one which has the jboss-web.xml with the security-domain configuration) too?

              • 4. Re: How to disable authentication for JAX-WS web service
                richyclarke

                The application is packaged as a single .war file. The web service is part of the same .war file, as is the jboss-web.xml file.

                • 5. Re: How to disable authentication for JAX-WS web service
                  jaikiran

                  Well in that case, you shouldn't be presented with any authentication screen/form for accessing the webservice at the /Quote URL path since it isn't listed in the security-constraints of your web.xml. What exact URL are you using which triggers this authentication for the webservice and subsequently fails. Can you also post the logs when this happens?

                   

                  • 6. Re: Re: How to disable authentication for JAX-WS web service
                    richyclarke

                    JBOSS is fronted by Apache HTTP server, but I am using SOAPUI to test and can target the webservice directly running on localhost at;

                     

                    http://127.0.0.1:8080/searchpoint/Quote

                     

                    Without the web service being annotated with @SecurityDomain("searchpointRealm"), the web service can be accessed without authentication on the above URL.

                    This is therefore working as expected for the web service, but without the above annotation, I can no longer log in via a browser to my XHTML pages. The log file (with trace enabled for org.jboss.security ) is as follows;

                    As you can see it is invoking the wrong login modules (not the SaltedDatabaseServerLoginModule ).

                     

                    My LoginBean simply logs out the username and password and calls request.login(username, password);

                     

                    2014-09-30 10:16:07,081 INFO  [com.vesey.searchpoint.security.LoginBean] (default task-37) login: Start
                    2014-09-30 10:16:07,082 INFO  [com.vesey.searchpoint.security.LoginBean] (default task-37) login: Username = richyclarke
                    2014-09-30 10:16:07,082 INFO  [com.vesey.searchpoint.security.LoginBean] (default task-37) login: Password = password1
                    2014-09-30 10:16:07,082 TRACE [org.jboss.security] (default task-37) PBOX000200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@b9c9aa91, cache entry: null
                    2014-09-30 10:16:07,082 TRACE [org.jboss.security] (default task-37) PBOX000209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@b9c9aa91
                    2014-09-30 10:16:07,082 TRACE [org.jboss.security] (default task-37) PBOX000221: Begin getAppConfigurationEntry(other), size: 5
                    2014-09-30 10:16:07,082 TRACE [org.jboss.security] (default task-37) PBOX000224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]:
                    [0]
                    LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule
                    ControlFlag: LoginModuleControlFlag: optional
                    Options:
                    name=password-stacking, value=useFirstPass
                    [1]
                    LoginModule Class: org.jboss.as.security.RealmDirectLoginModule
                    ControlFlag: LoginModuleControlFlag: required
                    Options:
                    name=password-stacking, value=useFirstPass
                    
                    
                    2014-09-30 10:16:07,083 TRACE [org.jboss.security] (default task-37) PBOX000236: Begin initialize method
                    2014-09-30 10:16:07,083 TRACE [org.jboss.security] (default task-37) PBOX000240: Begin login method
                    2014-09-30 10:16:07,084 TRACE [org.jboss.security] (default task-37) PBOX000236: Begin initialize method
                    2014-09-30 10:16:07,086 TRACE [org.jboss.security] (default task-37) PBOX000240: Begin login method
                    2014-09-30 10:16:07,099 DEBUG [org.jboss.security] (default task-37) PBOX000283: Bad password for username richyclarke
                    2014-09-30 10:16:07,099 TRACE [org.jboss.security] (default task-37) PBOX000244: Begin abort method
                    2014-09-30 10:16:07,099 TRACE [org.jboss.security] (default task-37) PBOX000244: Begin abort method
                    2014-09-30 10:16:07,099 DEBUG [org.jboss.security] (default task-37) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
                      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:284) [picketbox-4.0.21.Beta1.jar:4.0.21.Beta1]
                      at org.jboss.as.security.RealmDirectLoginModule.login(RealmDirectLoginModule.java:147) [wildfly-security-8.1.0.Final.jar:8.1.0.Final]
                      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_51]
                      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_51]
                      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_51]
                      at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_51]
                      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_51]
                      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_51]
                      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_51]
                      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_51]
                      at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
                      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_51]
                      at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_51]
                      at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408) [picketbox-infinispan-4.0.21.Beta1.jar:4.0.21.Beta1]
                      at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.21.Beta1.jar:4.0.21.Beta1]
                      at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) [picketbox-infinispan-4.0.21.Beta1.jar:4.0.21.Beta1]
                      at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) [picketbox-infinispan-4.0.21.Beta1.jar:4.0.21.Beta1]
                      at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:111)
                      at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:82)
                      at io.undertow.security.impl.SecurityContextImpl.login(SecurityContextImpl.java:210) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.servlet.spec.HttpServletRequestImpl.login(HttpServletRequestImpl.java:418) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                      at com.vesey.searchpoint.security.LoginBean.login(LoginBean.java:73) [classes:]
                      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_51]
                      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_51]
                      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_51]
                      at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_51]
                      at org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52)
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53)
                      at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63)
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:407)
                      at org.jboss.as.weld.ejb.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:82) [wildfly-weld-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.as.weld.ejb.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:93) [wildfly-weld-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63)
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53)
                      at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63)
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) [wildfly-jpa-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.as.jpa.interceptor.SFSBInvocationInterceptor.processInvocation(SFSBInvocationInterceptor.java:57) [wildfly-jpa-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.processInvocation(StatefulSessionSynchronizationInterceptor.java:127) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:407)
                      at org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:46) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
                      at org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:83) [wildfly-weld-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:45) [wildfly-ee-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21)
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
                      at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53)
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.as.ejb3.component.stateful.StatefulComponentInstanceInterceptor.processInvocation(StatefulComponentInstanceInterceptor.java:66) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:273) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:340) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:239) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:43) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:95) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
                      at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448)
                      at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61)
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
                      at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
                      at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)
                      at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182)
                      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
                      at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
                      at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:73)
                      at com.vesey.searchpoint.security.LoginBean$$$view169.login(Unknown Source) [classes:]
                      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_51]
                      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_51]
                      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_51]
                      at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_51]
                      at org.jboss.weld.util.reflection.Reflections.invokeAndUnwrap(Reflections.java:401) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
                      at org.jboss.weld.bean.proxy.EnterpriseBeanProxyMethodHandler.invoke(EnterpriseBeanProxyMethodHandler.java:99) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
                      at org.jboss.weld.bean.proxy.EnterpriseTargetBeanInstance.invoke(EnterpriseTargetBeanInstance.java:56) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
                      at org.jboss.weld.bean.proxy.InjectionPointPropagatingEnterpriseTargetBeanInstance.invoke(InjectionPointPropagatingEnterpriseTargetBeanInstance.java:65) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
                      at org.jboss.weld.bean.proxy.ProxyMethodHandler.invoke(ProxyMethodHandler.java:100) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
                      at com.vesey.searchpoint.security.LoginBean$Proxy$_$$_Weld$EnterpriseProxy$.login(Unknown Source) [classes:]
                      at com.vesey.searchpoint.security.LoginBean$Proxy$_$$_WeldClientProxy.login(Unknown Source) [classes:]
                      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_51]
                      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_51]
                      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_51]
                      at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_51]
                      at com.sun.el.parser.AstValue.invoke(AstValue.java:275) [javax.el-3.0.0.jar:]
                      at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:304) [javax.el-3.0.0.jar:]
                      at org.jboss.weld.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
                      at org.jboss.weld.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
                      at org.jboss.weld.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
                      at org.jboss.weld.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
                      at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:105) [jsf-impl-2.2.6-jbossorg-4.jar:]
                      at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:87) [jboss-jsf-api_2.2_spec-2.2.6.jar:2.2.6]
                      at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102) [jsf-impl-2.2.6-jbossorg-4.jar:]
                      at javax.faces.component.UICommand.broadcast(UICommand.java:315) [jboss-jsf-api_2.2_spec-2.2.6.jar:2.2.6]
                      at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:790) [jboss-jsf-api_2.2_spec-2.2.6.jar:2.2.6]
                      at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1282) [jboss-jsf-api_2.2_spec-2.2.6.jar:2.2.6]
                      at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:81) [jsf-impl-2.2.6-jbossorg-4.jar:]
                      at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) [jsf-impl-2.2.6-jbossorg-4.jar:]
                      at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:198) [jsf-impl-2.2.6-jbossorg-4.jar:]
                      at javax.faces.webapp.FacesServlet.service(FacesServlet.java:646) [jboss-jsf-api_2.2_spec-2.2.6.jar:2.2.6]
                      at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                      at org.primefaces.webapp.filter.FileUploadFilter.doFilter(FileUploadFilter.java:105) [primefaces-5.1.RC1.jar:5.1.RC1]
                      at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                      at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
                      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                      at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
                      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                      at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]
                      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]
                      at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
                    
                    
                    2014-09-30 10:16:07,106 TRACE [org.jboss.security] (default task-37) PBOX000201: End isValid, result = false
                    2014-09-30 10:16:07,107 WARN  [com.vesey.searchpoint.security.LoginBean] (default task-37) login: Login Failed: UT010031: Login failed
                    2014-09-30 10:16:07,108 TRACE [org.jboss.security] (default task-37) PBOX000354: Setting security roles ThreadLocal: {}
                    
                    
                    

                     

                    For comparison, here is the log when I add in the @SecurityDomain("searchpointRealm") to the web service and then perform a normal web login (everything else if exactly the same);

                    As you can see the correct login module is invoked.

                     

                    2014-09-29 13:00:21,034 INFO  [com.vesey.searchpoint.security.LoginBean] (default task-25) login: Start
                    2014-09-29 13:00:21,034 INFO  [com.vesey.searchpoint.security.LoginBean] (default task-25) login: Username = richyclarke
                    2014-09-29 13:00:21,035 INFO  [com.vesey.searchpoint.security.LoginBean] (default task-25) login: Password = password1
                    2014-09-29 13:00:21,038 TRACE [org.jboss.security] (default task-25) PBOX000200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@b9c9aa91, cache entry: null
                    2014-09-29 13:00:21,072 TRACE [org.jboss.security] (default task-25) PBOX000209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@b9c9aa91
                    2014-09-29 13:00:21,073 TRACE [org.jboss.security] (default task-25) PBOX000221: Begin getAppConfigurationEntry(searchpointRealm), size: 5
                    2014-09-29 13:00:21,073 TRACE [org.jboss.security] (default task-25) PBOX000224: End getAppConfigurationEntry(searchpointRealm), AuthInfo: AppConfigurationEntry[]:
                    [0]
                    LoginModule Class: de.rtner.security.auth.spi.SaltedDatabaseServerLoginModule
                    ControlFlag: LoginModuleControlFlag: required
                    Options:
                    name=formatter, value=de.rtner.security.auth.spi.PBKDF2HexFormatter
                    name=engine-parameters, value=de.rtner.security.auth.spi.PBKDF2Parameters
                    name=engine, value=de.rtner.security.auth.spi.PBKDF2Engine
                    name=principalsQuery, value=select hashedpassword from users where username = ?
                    name=hmacAlgorithm, value=HMacSHA256
                    name=dsJndiName, value=java:jboss/datasources/searchpointDS
                    name=rolesQuery, value=select r.name,'Roles' from role r, userrole ur, users u where u.username=? and u.userid = ur.userid and ur.roleid = r.roleid
                    
                    
                    2014-09-29 13:00:21,079 TRACE [org.jboss.security] (default task-25) PBOX000236: Begin initialize method
                    2014-09-29 13:00:21,080 TRACE [org.jboss.security] (default task-25) PBOX000262: Module options [dsJndiName: java:jboss/datasources/searchpointDS, principalsQuery: select hashedpassword from users where username = ?, rolesQuery: select r.name,'Roles' from role r, userrole ur, users u where u.username=? and u.userid = ur.userid and ur.roleid = r.roleid, suspendResume: true]
                    2014-09-29 13:00:21,081 TRACE [org.jboss.security] (default task-25) PBOX000240: Begin login method
                    2014-09-29 13:00:21,082 TRACE [org.jboss.security] (default task-25) PBOX000263: Executing query select hashedpassword from users where username = ? with username richyclarke
                    2014-09-29 13:00:21,104 TRACE [org.jboss.security] (default task-25) PBOX000241: End login method, isValid: true
                    2014-09-29 13:00:21,104 TRACE [org.jboss.security] (default task-25) PBOX000242: Begin commit method, overall result: true
                    2014-09-29 13:00:21,104 TRACE [org.jboss.security] (default task-25) PBOX000263: Executing query select r.name,'Roles' from role r, userrole ur, users u where u.username=? and u.userid = ur.userid and ur.roleid = r.roleid with username richyclarke
                    2014-09-29 13:00:21,110 TRACE [org.jboss.security] (default task-25) PBOX000263: Executing query select r.name,'Roles' from role r, userrole ur, users u where u.username=? and u.userid = ur.userid and ur.roleid = r.roleid with username richyclarke
                    2014-09-29 13:00:21,127 TRACE [org.jboss.security] (default task-25) PBOX000210: defaultLogin, login context: javax.security.auth.login.LoginContext@7cd3332f, subject: Subject(409047963).principals=org.jboss.security.SimplePrincipal@773960094(richyclarke)org.jboss.security.SimpleGroup@638849979(Roles(members:superuser,accounts))org.jboss.security.SimpleGroup@638849979(CallerPrincipal(members:richyclarke))
                    2014-09-29 13:00:21,128 TRACE [org.jboss.security] (default task-25) PBOX000201: End isValid, result = true
                    
                    
                    

                     

                    LoginBean if it is relevant;

                     

                    @Named
                    @Stateful
                    @SessionScoped
                    public class LoginBean implements Serializable {
                    
                    
                        @Inject
                        Logger log;
                    
                    
                        @Inject
                        FacesContext facesContext;
                    
                    
                        private String username;
                        private String password;
                    public String login() {
                            log.info("login: Start");
                            log.info("login: Username = " + username);
                            log.info("login: Password = " + password);
                    
                    
                            HttpServletRequest request = (HttpServletRequest) facesContext.getExternalContext().getRequest();
                            try {
                                request.login(username, password);
                                log.info("login: Login Succeeded. User = " + request.getUserPrincipal().getName());
                                return "/secure/test.xhtml";
                            } catch (ServletException ex) {
                                log.warn("login: Login Failed: " + ex.getLocalizedMessage());
                                log.warn("login: Exception: " + ex);
                                facesContext.getExternalContext().invalidateSession();
                                FacesMessage msg = new FacesMessage(FacesMessage.SEVERITY_WARN, "Login Failed: ", "Username or password incorrect: (" + ex.getLocalizedMessage() + ")");
                                facesContext.addMessage(null, msg);
                            }
                            return null;
                        }
                    
                    ... getters and setters
                    }
                    
                    
                    
                    
                    

                     

                    Again, thanks for you time in responding - it is much appreciated.

                    Rich

                    • 7. Re: Re: Re: How to disable authentication for JAX-WS web service
                      richyclarke

                      Jaikiran,

                      I have created a simple project to demonstrate this problem.

                      I have attached a netbeans project which contains;

                       

                      1. A single web service located at http://127.0.0.1:8080/testwebservice/TestWebService/TestWebService
                      2. A login.xhtml page (http://127.0.0.1:8080/testwebservice/login.xhtml) and a secure test.xhtml page accessible after login.

                       

                      I have also attached;

                      1. My standalone.xml containing the security domain, web services and datasource configuration.
                      2. A MySQL backup file which can be restored and contains just user, role and userrole tables for use with the datasource and login module in the standalone.xml
                      3. A complete server.log showing a failed login.

                       

                      I have removed the SaltedDatabaseServerLoginModule and have just configured a standard database login module.

                      You will obviously need the need the MySQL connector defined in wildfly's modules, I am currently using mysql-connector-java-5.1.13.jar.

                       

                      If you deploy the above, you will see that you cannot login, but if you remove the @Stateless annotation on the web service, you will be able to.

                      Alternatively add the @SecurityDomain("searchpointRealm") to the web service and you will be able login via the web pages, but the web service will also require authentication.

                       

                      I hope this helps

                      Rich

                      • 8. Re: Re: Re: Re: How to disable authentication for JAX-WS web service
                        richyclarke

                        I think I have found a workaround for my particular problem, but I'd be interested in you assessment of my finding.

                         

                        I have added the @SecurityDomain(value = "searchpointRealm") annotation to my web service class and now the web based login is working as expected (using the correct SaltedDatabaseServerLoginModule).

                        This now means that the web service requires me to authenticate, which is not what I wanted.

                         

                        If I add the @PermitAll annotation (from javax.annotation.security), I no longer need to authenticate to use the web service.

                        Is this because it was authorization rather than authentication that was previously stopping me from using the web service? 

                         

                        Looking at the error that is returned from the webservice proeviously, I see;

                         

                        JBAS014502: Invocation on method: public java.lang.String com.vesey.quote.Quote.requestQuote(java.lang.String) of bean: Quote is not allowed
                        

                         

                        But with @PermitAll the method is invoked correctly without any authetication (despite having @SecurityDomain(value = "searchpointRealm") specified on the web service class)

                         

                        This feels like a workaround rather than a pattern, as I would have expected to have to authenticate to use the webservice since I am specifying a security domain which requires authentication via the database.

                        My understanding of @PermitAll means allow users with any role, but I would still have expected to authenticate first.

                        Am I right therefore in assuming that an unauthenticated user, with obviously no roles assigned, is nevertheless authorized by the @PermitAll annotation?   

                         

                        I'm still not sure why making the webservice a stateless ejb would override the login configuration for my JSF pages.

                         

                        As I said, I'd be interested in your feedback to clarify my understanding.

                        Rich

                        • 9. Re: Re: Re: Re: Re: How to disable authentication for JAX-WS web service
                          jaikiran

                          Richard, I haven't been able to try the application you attached, but a quick look at it suggests that the cause of your problems is probably the content in your jboss-web.xml. You currently have:

                           

                            <security-domain>java:/jaas/searchpointRealm</security-domain>
                          

                           

                          Bu that should just be:

                           

                            <security-domain>searchpointRealm</security-domain>
                          

                           

                           

                          Change that and give it a try and see if things work as expected.

                          • 10. Re: How to disable authentication for JAX-WS web service
                            richyclarke

                            Jaikiran,

                            Sorry it's taken so long to respond. The definition  <security-domain>java:/jaas/searchpointRealm</security-domain> used to work under Wildfly 8.0.x and 8.1.x (and JBOSS AS 7.x) but no longer works under Wildfly 8.2.0-Final.


                            In Wildfly 8.2.0-Final I have changed it to <security-domain>searchpointRealm</security-domain> which now works as expected. Not sure what has changed in 8.2 branch.

                            Rich

                            • 11. Re: How to disable authentication for JAX-WS web service
                              jaikiran

                              Richard Clarke wrote:

                               

                              Jaikiran,

                              Sorry it's taken so long to respond. The definition  <security-domain>java:/jaas/searchpointRealm</security-domain> used to work under Wildfly 8.0.x and 8.1.x (and JBOSS AS 7.x) but no longer works under Wildfly 8.2.0-Final.

                               

                               

                              It wasn't working in previous versions. It just gave you an impression it worked because it was never being used and instead was defaulting to "other" security domain and that in fact was the reason why you were having the troubles reported in this thread.

                               

                              This was fixed in 8.2.0.Final as part of https://issues.jboss.org/browse/WFLY-3102 and the security domain defined in jboss-web.xml started being used for EJBs (and WS) deployed in the .war.

                              1 of 1 people found this helpful