7 Replies Latest reply on Sep 19, 2007 10:34 AM by Richard Opalka

    Secure Webservice

    Magnus Lundgren Newbie


      I am using JBoss-4.0.5.GA and have implemented a Webservice using
      annotations. The Webservice is protected by a SecurityDomain.

      To access the webservice I have looked at the examples from the jbossws samples for jbossws-1.2.1.GA and tried to followed it as much as possible. Obvioulsy something isn't correct since I get a Authentication Failure even though I passes the correct username and password. The client code:

      System.setProperty(Provider.JAXWSPROVIDER_PROPERTY, "org.jboss.ws.core.jaxws.spi.ProviderImpl");
       URL wsdlURL = new URL(WSDL_LOCATION);
       Service service = Service.create(wsdlURL, SERVICE_NAME);
       WebServiceEndPoint endPoint = null;
       endPoint = (WebServiceEndPoint) service.getPort(WebServiceEndPoint.class);
       BindingProvider bp = (BindingProvider) endPoint;
       bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "test");
       bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "test");
       String result = (String) endPoint.test("Gurka");
       System.out.println("The Server response is: " + result);

      I am stomped what I am doing wrong? I have pointed the JBossWS security domain to the correct database with a configuration that I know works for my EJBs.

      Is the error on the client or the server side?

        • 1. Re: Secure Webservice
          Heiko Braun Master

          What do the endpoint bean and interface look like?

          • 2. Re: Secure Webservice
            Magnus Lundgren Newbie

            I have tried a few different version, the latest look like this:

            @WebService(name = "WebServiceEndPoint", targetNamespace = "http://se.pilotfish/fairfleet/ws",
             serviceName = "WebServiceTest")
            @SOAPBinding(style= SOAPBinding.Style.RPC)
            @WebContext(contextRoot = "/service", urlPattern = "/*", authMethod = "BASIC",
             transportGuarantee = "NONE", secureWSDLAccess = false)
            public class WebServiceTestBean implements WebServiceTest {
             @WebResult(name = "result")
             public String test(@WebParam(name = "input") String input) {
             return "WebService:" + input;

            public interface WebServiceTest {
             public String test(String input);

            • 3. Re: Secure Webservice
              S. Garelle Newbie


              I am facing exactly the same problem... So, what's the solution?

              I am using JBoss_4_2_1_GA.

              On client side, I also use the request context to set the user name and password:

               CmiEndPoint proxy = (CmiEndPoint) service.getPort(CmiEndPoint.class);
               BindingProvider bp = (BindingProvider) proxy;
               Map<String, Object> reqCtxt = bp.getRequestContext();
               reqCtxt.put(BindingProvider.USERNAME_PROPERTY, user);
               reqCtxt.put(BindingProvider.PASSWORD_PROPERTY, password);
               proxy.execCmd("Do this command");

              On server side, the WebService is simply declared with the "@WebService" annotation. A security-domain is defined in jboss.xml. Users are defined.

              The command failed because of an authentification failure:
              javax.xml.ws.soap.SOAPFaultException: Authentication failure

              The same user/password used for a RMI client calling directly the underlying stateless session bean works.
              The same WS client with security disabled on server works.

              • 4. Re: Secure Webservice
                rbellia Newbie

                I have the same probelm with JBoss AS 4.2.1 ...

                The endpoint:

                @Stateless @WebService
                public class CalculatorBean implements CalculatorRemote, CalculatorLocal {
                 @Resource SessionContext sessionCtx;
                 public Integer sum(Integer a, Integer b) {
                 System.out.println("who is it ? " + sessionCtx.getCallerPrincipal());
                 return a + b;

                The client:
                 CalculatorBeanService service = new CalculatorBeanService();
                 CalculatorBean port = service.getCalculatorBeanPort();
                 BindingProvider bp = (BindingProvider) port;
                 bp.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, "http://localhost:8080/CalculatorBeanService/CalculatorBean");
                 bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "user1");
                 bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "password1");
                 // TODO initialize WS operation arguments here
                 java.lang.Integer result = port.sum(4002, 450);
                 System.out.println("Result = "+result);

                The exception:
                javax.xml.ws.soap.SOAPFaultException: Authorization failure

                The security domain works fine if I use a remote EJB client.

                • 5. Re: Secure Webservice
                  Thomas Diesler Master

                  Please start from a working sample that we distribute and tell us what modification stopped things working

                  • 6. Re: Secure Webservice
                    Magnus Lundgren Newbie

                    This was some time ago, so where I started is not a little bit foggy. But everything worked fine for me up to the point where I protected the webservice with a SecurityDomain. Sadly I cannot post the example code that I started with.

                    • 7. Re: Secure Webservice
                      Richard Opalka Newbie

                      If you have turned on the SecurityDomain then you must investigate what SecurityManager prohibits you to do and set up the rights correctly so JBossWS stack can work properly.