3 Replies Latest reply on Jun 15, 2011 1:10 AM by Alexander Hartner

    Basic Authentication with WSSecureEndpoint on JBoss 4.2.2GA

    Alexander Hartner Expert

      I want to use Username Tokens to authenticate with a webservice provided by a Session Bean as shows:

      @Stateless
      @WebService
      @EndpointConfig(configName="Standard WSSecurity Endpoint")
      @SecurityDomain("java:/jaas/THZone")
      @RolesAllowed("friend")
      @SOAPBinding(style=SOAPBinding.Style.DOCUMENT,
       use=SOAPBinding.Use.LITERAL,
       parameterStyle=SOAPBinding.ParameterStyle.BARE)


      I searched the forum and found several references to :

      http://wiki.jboss.org/wiki/Wiki.jsp?page=WSSecureEndpoint

      which points to the user guide.

      I configured the login module in conf/login-config.xml to use a properties file to test the configuration. However when I try to access the principal I get a null back. Since added the RolesAllowed annotation the service fails with :


      11:46:07,984 ERROR [RoleBasedAuthorizationInterceptor] Insufficient permissions, principal=null, requiredRoles=[friend], principalRoles=[]
      11:46:07,984 ERROR [SOAPFaultHelperJAXWS] SOAP request exception
      javax.ejb.EJBAccessException: Authorization failure
      at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:120)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77)
      at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.wsf.container.jboss42.InvocationHandlerEJB3.invoke(InvocationHandlerEJB3.java:103)
      at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:220)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:408)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:272)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:189)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:122)
      at org.jboss.wsf.stack.jbws.EndpointServlet.service(EndpointServlet.java:84)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
      at java.lang.Thread.run(Thread.java:619)


      It seems that I am just missing the right configuration. Any pointers on what to configure would help me a great deal.

      Tx
      Alex


        • 1. Re: Basic Authentication with WSSecureEndpoint on JBoss 4.2.
          Alexander Hartner Expert

          I added a custom login module to debug this problem. It seems that the user and password are never passed to the login module.

           public boolean login() throws LoginException {
           logger.info("Login");
           NameCallback nameCallback = new NameCallback("User Name");
           PasswordCallback passwordCallback = new PasswordCallback("User Password", false);
           Callback[] callbacks = new Callback[2];
           callbacks[0] = nameCallback;
           callbacks[1] = passwordCallback;
           logger.info("Configured callbacks");
           try {
           logger.info("Handling callbacks");
           callbackHandler.handle(callbacks);
           logger.info("Handled callbacks");
           } catch (UnsupportedCallbackException ex) {
           ex.printStackTrace();
           } catch (IOException ex) {
           ex.printStackTrace();
           }
           String userid = "default";
           String password = "default";
           userid = nameCallback.getName();
           password = new String(passwordCallback.getPassword());
           logger.info("Processed callbacks");
           passwordCallback.clearPassword();
           logger.info("Attempt to login with :"+userid+" and "+password);
           JAASUser user = new JAASUser(1,userid);
           JAASRole role = new JAASRole("friends");
           subject.getPrincipals().add(user);
           subject.getPrincipals().add(role);
           return true;
           }
          


          I am still a little confused on where I am supposed to configure which Principal implementation is a User or a Role.

          I also tried adding a WebContext, but this resulted in a The request failed with HTTP status 401: Unauthorized. error without invoking the Login Module. Removing the WebContext annocation resulted in the Login Module being called, but without User / Password.

          @WebContext(authMethod = "BASIC", transportGuarantee="NONE", secureWSDLAccess = false)


          • 2. Re: Basic Authentication with WSSecureEndpoint on JBoss 4.2.
            Carlos Soderguit Newbie

            Sorry my english
            I have the same problem!
            Do you have a solution?
            Thanks Carlos

            • 3. Re: Basic Authentication with WSSecureEndpoint on JBoss 4.2.
              Alexander Hartner Expert

              I think in the end I had to make changes in my LoginModule for it to work. This is my complete login module.

               

              Hope it helps
              Alex

               

               

              /*
               * SimpleLoginModule.java
               *
               * Created on 24 June 2005, 10:45
               *
               */
              package com.abc.backend.security;
              import java.io.IOException;
              import java.security.acl.Group;
              import java.util.Map;
              import javax.security.auth.Subject;
              import javax.security.auth.callback.Callback;
              import javax.security.auth.callback.CallbackHandler;
              import javax.security.auth.callback.NameCallback;
              import javax.security.auth.callback.PasswordCallback;
              import javax.security.auth.callback.UnsupportedCallbackException;
              import javax.security.auth.login.LoginException;
              import javax.security.auth.spi.LoginModule;
              
              /**
               *
               * <p>Copyright: Copyright (c) 2007</p>
               * <p>Company: Thunderhead</p>
               * @author ahartner
               * @version 1
               */
              public class SimpleLoginModule implements LoginModule {
               private Subject m_subject;
               private CallbackHandler m_callbackHandler;
               private String m_userid;
               private String m_password;
              
               /**
               * Creates a new instance of SimpleLoginModule
               */
               public SimpleLoginModule() {
               }
              
               public boolean abort() throws LoginException {
               return true;
               }
              
               public boolean commit() throws LoginException {
               JAASUser user = new JAASUser(1,m_userid);
              
               Group grp = new JAASGroup("Roles");
               grp.addMember(new JAASRole("friend"));
               grp.addMember(new JAASRole("friends"));
              
               m_subject.getPrincipals().add(user);
               m_subject.getPrincipals().add(grp);
               return true;
               }
              
               public void initialize(Subject subject, CallbackHandler callbackHandler, Map state, Map options) {
               m_subject = subject;
               m_callbackHandler=callbackHandler;
               }
              
               public boolean login() throws LoginException {
               NameCallback nameCallback = new NameCallback("User Name");
               PasswordCallback passwordCallback = new PasswordCallback("User Password", false);
               Callback[] callbacks = new Callback[2];
               callbacks[0] = nameCallback;
               callbacks[1] = passwordCallback;
               try {
               m_callbackHandler.handle(callbacks);
               } catch (UnsupportedCallbackException ex) {
               ex.printStackTrace();
               } catch (IOException ex) {
               ex.printStackTrace();
               }
               try {
               if (nameCallback.getName() != null) {
               m_userid = nameCallback.getName();
               }
               if (passwordCallback.getPassword() != null) {
               m_password = new String(passwordCallback.getPassword());
               }
               passwordCallback.clearPassword();
               } catch (Exception e) {
               e.printStackTrace();
               }
               if (!m_userid.equals("user") || !m_password.equals("password"))
               {
               return false;
               }
               else
               {
               return true;
               }
               }
              
               public boolean logout() throws LoginException {
               m_subject.getPrincipals().clear();
               return true;
               }
              }