6 Replies Latest reply on Feb 14, 2008 11:54 AM by estahn

Seam 2.x, Webservice Security

estahn Jan 29, 2008 5:50 AM

Hi,

how do i restrict access to webservice methods? I tried to add "@Restrict("#{identity.loggedIn}")" before "createTest", but if i test this with an soap client (e.g. soap ui) i getting no SOAP Exception or something else. It will return the the string "done".

Any ideas?

Enrico

package org.domain.webservices;

import javax.ejb.Stateless;
import javax.jws.WebMethod;
import javax.jws.WebParam;
import javax.jws.WebService;

import org.jboss.seam.annotations.security.Restrict;
import org.jboss.seam.security.Identity;
import org.jboss.wsf.spi.annotation.WebContext;

@Stateless
@WebContext(contextRoot="/TestWS")
@WebService(name = "TestService", serviceName = "TestService")
public class TenderNoticeCollectorService implements TenderNoticeCollectorServiceRemote
{
 @WebMethod
 public boolean login(@WebParam(name="username") String username, @WebParam(name="password") String password) {
 Identity.instance().setUsername(username);
 Identity.instance().setPassword(password);
 Identity.instance().login();
 return Identity.instance().isLoggedIn();
 }

 @WebMethod
 public boolean logout() {
 Identity.instance().logout();
 return !Identity.instance().isLoggedIn();
 }

 @WebMethod
 @Restrict("#{identity.loggedIn}")
 public String createTest(@WebParam(name="title") String title)
 {
 return "done";
 }
}

1. Re: Seam 2.x, Webservice Security

shane.bryzak Jan 29, 2008 5:58 AM (in response to estahn)

Does it work if you put the @Restrict(s) in the remote interface instead?
Actions
2. Re: Seam 2.x, Webservice Security

estahn Jan 29, 2008 7:42 AM (in response to estahn)

Hi Shane,

thanks for your reply. It doesn't work either if i put it in the remote interface.

Any other ideas?

Enrico
Actions
3. Re: Seam 2.x, Webservice Security

shane.bryzak Jan 29, 2008 8:48 AM (in response to estahn)
I just tested this by putting a @Restrict in the seamBay example in AuctionService.listCategories() then calling the web service via the test page in the seam-bay app.

@WebMethod @Restrict("#{s:hasRole('admin')}") public Category[] listCategories()

This successfully returned the following SOAP fault when I tried to invoke the method without logging in:

<env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'> <env:Header></env:Header> <env:Body> <env:Fault xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'> <faultcode>env:Server</faultcode> <faultstring>org.jboss.seam.security.NotLoggedInException</faultstring> </env:Fault> </env:Body> </env:Envelope>

I'm guessing that you probably have a configuration problem somewhere. I would start by comparing your project to seamBay to see if there's any obvious configuration differences.
Actions
4. Re: Seam 2.x, Webservice Security

shane.bryzak Jan 29, 2008 8:52 AM (in response to estahn)

Silly me! I also forgot to mention that if you want the security interceptors to work, your web service class needs to be a Seam component :) (give it a @Name)
Actions
5. Re: Seam 2.x, Webservice Security

estahn Feb 14, 2008 5:03 AM (in response to estahn)

Hi Shane,

thanks for all your efforts and sorry for the delay. Actually, I don't know where I have to search the error. Everythink works well except the SOAP method security. The seambay example don't help me either because the files at all looks like the ones I have in my project. I created a test project with Eclipse. I would appreciate if you could have a look and tell me what's wrong. My workstation is running with the following configuration:

JBoss AS v4.2
Seam 2.0
JDK 1.5

http://blog.enricostahn.com/uploads/TestSeamWebserviceSecurity-ear.ear
http://blog.enricostahn.com/uploads/TestSeamWebserviceSecurity-ds.xml

I use soapUi to send the following request to the method test() (http://127.0.0.1:8080/TestSeamWebserviceSecurityWS/TestSeamWebserviceSecurityService?wsdl ).

Enrico
Actions
6. Re: Seam 2.x, Webservice Security

estahn Feb 14, 2008 11:54 AM (in response to estahn)

Seems that I have used the wrong version of Seam (Seam 2.0.0.GA).

Release Notes - JBoss Seam - Version 2.0.1.CR1

** Bug
* [JBSEAM-2238] - SecurityInterceptor not invoked for Web Service requests

Will check that out tomorrow.
Actions

Go to original post