2 Replies Latest reply on Dec 5, 2005 6:15 PM by Mahesh Sooriarachchi

    Standard JBoss Web Services Security not working

    Mahesh Sooriarachchi Newbie

      Hi,

      We have been trying to use a web service connected to a Stateless Session Bean. The security on the bean requires a role. We set the username and password in the standard way. See below.

      public void testHelloWorldWebServiceWithSecurity() {
       HelloWorldEndpointPort_Service_Impl helloService = new HelloWorldEndpointPort_Service_Impl();
       HelloWorldEndpointPort_PortType helloPort = helloService.getHelloWorldEndpointPortPort();
       ((javax.xml.rpc.Stub) helloPort)._setProperty(javax.xml.rpc.Stub.USERNAME_PROPERTY, "gluck");
       ((javax.xml.rpc.Stub) helloPort)._setProperty(javax.xml.rpc.Stub.PASSWORD_PROPERTY, "brunswick");
       String result = helloPort.knockKnock(10);
       LOG.fine("HelloWorld JWSDP result = " + result);
       }
      


      However JBoss gives an error.
      javax.xml.rpc.soap.SOAPFaultException: SecurityException; nested exception is:
       java.lang.SecurityException: Insufficient method permissions, principal=null, ejbName=HelloWorldService, method=knockKnock, interface=SERVICE_ENDPOINT, requiredRoles=[operator], principalRoles=[]
      


      On the JBoss log I get more information:
       [org.jboss.webservice.server.ServerEngine] Server error: AxisFault
       faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Client
       faultSubcode:
       faultString: SecurityException; nested exception is:
       java.lang.SecurityException: Insufficient method permissions, principal=null, ejbName=HelloWorldService, method=knockKnock, interface=SERVICE_ENDPOINT, requiredRoles=[operator], principalRoles=[]
       faultActor:
       faultNode:
       faultDetail:
       {http://xml.apache.org/axis/}stackTrace: java.rmi.AccessException: SecurityException; nested exception is:
       java.lang.SecurityException: Insufficient method permissions, principal=null, ejbName=HelloWorldService, method=knockKnock, interface=SERVICE_ENDPOINT, requiredRoles=[operator], principalRoles=[]
      


      There are two possibilities:
      1. JBoss does not support security on Web Services. If not, how did it pass the J2EE 1.4 certification?
      2. We have not configured something.

      On the second point, we do have security working on application clients accessing stateless session beans using RMI. We also have our web container all hooked up to container security. In the JBoss documentation there are no examples showing how to get the standard WS examples working.

      For the standard examples, see http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security7.html#wp156943.