0 Replies Latest reply on Oct 19, 2010 11:53 AM by André Simões

    Security question about DatabaseServerLoginModule and SOAPFaultException

    André Simões Newbie

      Hi.

      I want to know how can i solve the SOAPFaultException error that jboss send when a valid user try to access to a role that do not belong to it.

       

      Example of code exception with a C# client

       

       

      @WebContext(contextRoot = "/HeComm", transportGuarantee = "NONE", authMethod = "BASIC", secureWSDLAccess = false)
      @SecurityDomain("DBLogin")
      @PermitAll
      @RolesAllowed({"admin", "ws"})
      public class WebSecurityBean implements WebSecurity{
          
          @WebMethod
          @RolesAllowed({"admin"})
          public String echoForAdministrator(String str) {
              checkPrincipal();
              log.debug(str);
              return str;
          }
      
          @WebMethod
          @PermitAll
          public String echoForAll(String str) {
              checkPrincipal();
              log.debug(str);
              return str;
          }
      
          @WebMethod
          @DenyAll
          public String echoForNobody(String str) {
              checkPrincipal();
              log.debug(str);
              return str;
          }
      
          @WebMethod
          @RolesAllowed({"ws"})
          public String echoForUser(String str) {
              checkPrincipal();
              log.debug(str);
              return str;
          }
          
          @WebMethod
          @RolesAllowed({"ManageUsers"})
          public String echoForManageUsers(String str) {
              checkPrincipal();
              log.debug(str);
              return str;
          }
      

      }

       

      If my C# client have invalid user or password, jboss sends a message telling that.

      If my C# client hava valid user a password, jboss throws an exception in methods that are not allowed to my user role.

       

      My user have role "ws" and if i call method  echoForAdministrator or echoForNobody or echoForManageUsers I got an exception that starts like this:

       

      ERROR [SOAPFaultHelperJAXWS] SOAP request exception

      javax.ejb.EJBAccessException: Caller unauthorized

      at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:199)

      . . . .

       

      In C# i got an exception that is ok, the user are not allowed to use this method, but why jboss receive an error exception from soap?

       

      Can I do something to eliminate this exception?

       

      I'm using JBOSS 5.10 and authentication on oracle db.