4 Replies Latest reply on Oct 22, 2011 12:00 PM by Steve Cohen

    Session-based web service with JBossWS?

    Steve Cohen Newbie

      The web-service I need to develop needs to be session based.


      That is to say, there is a login method which is secured by JAAS authentication.  If the user is authenticated, a session-id is returned which is provided to other methods which do not need to be authenticated, for as long as the session lasts, that is, as long as the session is found in the database.  In other words, each call is not a session unto itself, not just an atomic data operation, but part of a larger whole.


      Is there any documentation on achieving this pattern and is it even possible with JBossWS?



        • 1. Re: Session-based web service with JBossWS?
          Steve Cohen Newbie

          Hmm, tough crowd.  38 people have looked at this and nobody's biting.  Seems like I'm really swimming against the current here - again .  I always seem to wind up doing that.


          But truly, my use case is valid.  I want to wrap a service as a web service so that more than hardwired clients can use it.  There is a real need for session - consider the example of a phone call.  It's not a bunch of discrete messages, it's a CONVERSATION.  That's what I'm trying to implement.




          One possible solution approach I've come up with is here:




          In a partial deployment descriptor I can specify METHOD-level permissions.  So, if this works, login can be protected, other methods not.


          In exploring this, I soon bump up against my first problem.  As soon as I create a partial deployment descriptor, before I even put anything in it, my web service which was successfully validating every method, now fails with this:


          13:29:45,877 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files

          java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found

              at org.jboss.security.auth.spi.Util.loadProperties(Util.java:198)

              at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)



          It's no longer looking for jbossws-users.properties - now it's looking for users.properties. 


          So, at this point do I need to replace jbossws-users.properties with users.properties (realizing that all this eventually goes away when I hook a real LoginModule) or is there something else I can do?


          Also, will the @PermitAll annotation conflict with the JBoss @WebContext.authMethod stuff?



          • 2. Re: Session-based web service with JBossWS?
            Steve Cohen Newbie

            Uh, never mind about:

            It's no longer looking for jbossws-users.properties - now it's looking for users.properties.


            I had left out this:

            @SecurityDomain(value = "JBossWS")

            All right, onward and upward with my plan.  Still wondering about the deployment descriptor stuff and if anyone can think of a reason why this shouldn't work?

            • 3. Re: Session-based web service with JBossWS?
              Steve Cohen Newbie

              Hmm. not working.


              I add information to the ejb-jar.xml:


              {code:xml}<xmlnode prop="abc">


























              But both methods are still being checked.


              Perhaps I haven't named the EJB correctly?  In an ejb-based web service, what is the ejb name that should be used in ejb-jar.xml?


              And can someone PLEASE tell me how to avoid my pastes being turned into HTML tables?

              • 4. Re: Session-based web service with JBossWS?
                Steve Cohen Newbie

                OK, I keep learning more stuff but it's not getting me where I want to be but I feel I'm getting close.






                I find that the javax.annotation.security annotations can be placed on methods as well as classes.  Great, that is what I was missing.  Everything compiles, it's nice and clean, no ejb-xml.jar to mess with, it deploys without a hitch.  Alas, it doesn't work



                package org.javactivity.ws.ejb;
                import javax.annotation.security.PermitAll;
                import javax.annotation.security.RolesAllowed;
                import javax.ejb.Stateless;
                import javax.jws.HandlerChain;
                import javax.jws.WebService;
                import javax.jws.soap.SOAPBinding;
                import org.jboss.ejb3.annotation.SecurityDomain;
                import org.jboss.wsf.spi.annotation.WebContext;
                import org.slf4j.Logger;
                import org.slf4j.LoggerFactory;
                        authMethod = "BASIC",
                        secureWSDLAccess = false)
                @SecurityDomain(value = "JBossWS")
                @WebService(targetNamespace = "http://org.javactivity/MyService/", 
                @SOAPBinding(style = SOAPBinding.Style.DOCUMENT, parameterStyle = SOAPBinding.ParameterStyle.BARE) 
                @HandlerChain(file = "handlers.xml") 
                public class MyServicePortImpl implements MyServicePort {
                    private static final Logger log = LoggerFactory.getLogger(MyServicePortImpl.class);
                    private static int nextSession = 0;
                    public int foo(UserTypeType usertype, String username, String key) {
                        log.debug("foo returning a value of {}", nextSession);
                        return nextSession;
                    public int login(UserIdentity identity) {
                        log.debug("Login returning a value of {}", nextSession);
                        return nextSession;

                If I supply a bad password, neither method allows access.  If I supply a good password, both methods allow access.  The annotations are not being recognized. Must the JBossWS security domain be configured somehow and if so how?


                What ELSE must I do to get these method permissions recognized by JBoss?