2 Replies Latest reply on Jul 29, 2007 12:27 PM by ike erhascy

    User authorization in Web Service

    ike erhascy Newbie

      How to setup user authentication in a web service? I have something like:

      @Stateless
      @WebService(endpointInterface="com.m1.sample.core.IRoleMgrWebService")
      @SecurityDomain("mydomain")
      public class RoleMgrEjbWeb implements IRoleMgrWebService {
      ...
      @AllowedRoles("role")
      public void doSomething() {...}
      }

      The client is like that:
      URL url = new URL("http://127.0.0.1:8080/RoleMgrEjbWebService/RoleMgrEjbWeb?wsdl");
      QName qname = new QName("http://core.sample.m1.com/", "RoleMgrEjbWebService");

      ServiceFactory factory = ServiceFactory.newInstance();
      Service service = factory.createService(url, qname);

      IRoleMgrWebService ws = (IRoleMgrWebService) service.getPort(IRoleMgrWebService.class);

      ws.doSomething();

      What should I write to pass user's credentials? I tried something like:
      URL url = Thread.currentThread().getContextClassLoader().getResource("auth.conf");
      System.setProperty("java.security.auth.login.config", url.toString());

      javax.security.auth.login.LoginContext lh = new javax.security.auth.login.LoginContext("aloe",
      new AloeLoginHandler("ike", "1"));
      lh.login();

      But that works only if I call EJB's not service.

      Btw, is there any documentation about authentication and authorization in jboss web services?

        • 1. Re: User authorization in Web Service
          Andy Cooper Newbie

          Try something like the following in your client:

          ((BindingProvider)port).getRequestContext().put(Stub.USERNAME_PROPERTY, "joe");
          ((BindingProvider)port).getRequestContext().put(Stub.PASSWORD_PROPERTY, "dweeb");

          I can't recall if this only works with WS-Security ...

          No, the documentation is not particularly good :-)

          • 2. Re: User authorization in Web Service
            ike erhascy Newbie

            It causes ClassCastException (cannot cast port to BindingProvider).
            Actually, I've found another recommendation:
            ((Stub)port)._setProperty(Stub.USERNAME_PROPERTY, "joe");
            ((Stub)port)._setProperty(Stub.PASSWORD_PROPERTY, "joe");
            But it doesn't work too:
            javax.ejb.EJBAccessException: Authentication failure
            at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.handleGeneralSecurityException(Ejb3AuthenticationInterceptor.java:68)
            at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:70)
            at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:106)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
            at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
            at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
            at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
            at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:214)
            at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:184)
            at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:174)
            at org.jboss.ws.integration.jboss42.ServiceEndpointInvokerEJB3.invokeServiceEndpointInstance(ServiceEndpointInvokerEJB3.java:114)
            at org.jboss.ws.core.server.AbstractServiceEndpointInvoker.invoke(AbstractServiceEndpointInvoker.java:207)
            at org.jboss.ws.core.server.ServiceEndpoint.processRequest(ServiceEndpoint.java:212)
            at org.jboss.ws.core.server.ServiceEndpointManager.processRequest(ServiceEndpointManager.java:448)
            at org.jboss.ws.core.server.AbstractServiceEndpointServlet.doPost(AbstractServiceEndpointServlet.java:114)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
            at org.jboss.ws.core.server.AbstractServiceEndpointServlet.service(AbstractServiceEndpointServlet.java:75)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
            at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
            at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
            at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
            at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
            at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
            at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
            at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
            at java.lang.Thread.run(Thread.java:595)

            When I debug UserPasswordLoginModule I see that both login and password are nulls :(

            Are @SecurityDomain and @RolesAllowed intended to web servicess too, not only for EJB's?