3 Replies Latest reply on Jul 9, 2007 11:07 AM by Thomas Diesler

    POJO web services and standard security annotations

    Dmitry Mikhailov Newbie


      I'm new to JAX-WS and trying to find my way around this technology. One thing of particular importance for me is how JBoss treats standard security annotations when deploying POJO web services.

      JSR 181 "Web Services Metadata for the JavaTM Platform" doesn't mention security-related annotations explicitely; however change log there contains comment "Removed security annotations as these will be defined by JSR 250 ? Common Annotations." So I took it as security-related annotations apply to web services, includng POJO-based.

      However, when I tried to test it in JBoss-4.2.0.GA, I found that container simply ignores these annotations or, at least, @RolesAllowed.

      Here is code snippet:

      @WebService(name = "AccountingIf", endpointInterface = "org.mikha.webservice.test.accountingif3.AccountingIf")
      public class AccountingIfImpl implements AccountingIf
       /** web service context */
       private WebServiceContext m_ctx;
       * @see org.mikha.webservice.test.accountingif3.AccountingIf#commit(org.mikha.webservice.test.accountingif3.RecordTypeType,
       * long)
       public void commit(RecordTypeType recordType, long trID)
       // TODO Auto-generated method stub
       * @see org.mikha.webservice.test.accountingif3.AccountingIf#fetch(org.mikha.webservice.test.accountingif3.RecordTypeType,
       * int)
       public FetchResultType fetch(RecordTypeType recordType, int dataSize)
       Principal p = m_ctx.getUserPrincipal();
       if (!m_ctx.isUserInRole("AccountingIfClient"))
       throw new SecurityException("User " + p
       + " is not allowed to access accounting interface");
       // ....

      When request is made by user belonging to "AccountingIfClient" role, both methods work fine.

      But, when request is made by valid user not belonging to "AccountingIfClient" role, "commit" method still works; and "fetch" method throws "javax.xml.ws.soap.SOAPFaultException: User johndoe is not allowed to access accounting interface", which comes from my code, not from container.

      The questions:
      1) Should container for POJO-based web services honor standard security annotations?
      2) If not, is there any way to specify security restrictions for POJO-based web services in declarative manner (i.e. without checking access rights in the business logic)?