1 Reply Latest reply on Apr 14, 2009 8:15 AM by joncmuniz

WS Security - Identity propagation between web services.

ravikb_jboss Apr 14, 2009 1:21 AM

Hi,

I have two WebServices with EJB Endpoints. (EJBWS1 and WJBWS2). Both are secure web services and the methods in those web services has restricted access by specifying the roles using &RolesAllowed annotation.

For example:

@RolesAllowed("Role1")
public String method1(){}

EJBWS1 is configured to receive the user credentials using WS-Security - User name token (using @EndpointConfig) and EJB2WS is configured to receive credentials using Basic authentication.

Both EJB's are in the same security Domain and also in the same JAR file.

I wrote a client to pass WS-Security credentials to EJBWS1 and it works. In EJBWS1, I called a method in EJBWS2 using EJB way (got a EJB object reference and invoke operation). Identity get propagated and the method call in EJBWS2 gets invoked.

But when i invoke the same using webservice way, i.e in EJBWS1 method, i get a webserviceref (static proxy) for EJJBWS2, get port and invoke operation, i am getting unauthorized error. Identity is not getting propagated from Webservice1 to web service 2

does identity propagation concept not exist in webservice invocations? or am i making any mistake here?

Appreciate your help.

I have included the code in the note:
Thanks in advance
Ravi.

NOTE:
My code for invoking webservice is as follows:
1) Invoking EJBWS 2:

@WebServiceRef
static TestBean1WSClient service3;
public void insert(Agent object) {
....

TestBean1Local tblocal = service3.getEndpointPort();
tblocal.insert(object);
}
2)

Created a WebService client using @WebServiceClient annotation:
@WebServiceClient(name = "TestBean1Service", targetNamespace = "http://service.ri.com/", wsdlLocation = "META-INF/wsdl/TestBean1Bean.wsdl")
public class TestBean1WSClient extends Service
{

private final static URL WSDL_LOCATION;
private final static QName TESTENDPOINTSERVICE = new QName("http://service.ri.com/", "TestBean1Service");
private final static QName TESTENDPOINTPORT = new QName("http://service.ri.com/", "TestBean1BeanPort");

static {
System.out.println("TestBean1WSClient static block");
URL url = null;
try {
URL baseUrl = com.hex.ffm.ri.service.TestBean1Local.class.getResource(".");
System.out.println(" baseURL "+baseUrl);
url = new URL("http://127.0.0.1:7000/Practice/TestBean1Bean?wsdl");
} catch (MalformedURLException e) {
e.printStackTrace();
}
WSDL_LOCATION = url;
}

public TestBean1WSClient(URL wsdlLocation, QName serviceName) {

super(wsdlLocation, serviceName);

}

public TestBean1WSClient() {
super(WSDL_LOCATION, TESTENDPOINTSERVICE);

}

@WebEndpoint(name = "TestBean1BeanPort")
public TestBean1Local getEndpointPort() {
return (TestBean1Local)super.getPort(TESTENDPOINTPORT, TestBean1Local.class);
}

}

1. Re: WS Security - Identity propagation between web services.

joncmuniz Apr 14, 2009 8:15 AM (in response to ravikb_jboss)

Hi, I can not answer your question!
Because it is a necessity that we have here in my company too! I am studying a way to use OpenSSO in this environment to be my server identity! So is he who knows who has access to the webservices, you need log on again, these things.
Actions