1 Reply Latest reply on Jun 3, 2008 11:21 AM by Tom Goring

    Seam JAAS WebServices

    Tom Goring Apprentice

      Hi,


      I would like advise on how best to secure my web services. 


      I don't like the idea of writing a web method login call (as per seam manual) as I would like to use standard JAAS secuirty and something like authMethod = BASIC authentication (over SSL).  I want my WS client to be unaware of converstation id's etc (I.e. a plain stateless WS client).  I want the WS calls to be as standard as possible.


      So what I want (i think) is to use standard JAAS security for my WS calls and existing Seam security for my Web-app.  However my WS EJB layer will be calling down to SEAM components that will need the Seam context's etc available.


      E.g.



      @Stateless
      @WebService(name="EmployeeManagerWS", serviceName="EmployeeManagerWS")
      @RolesAllowed("Developer")
      @SecurityDomain("JnetJaasDbRealm")
      @WebContext(contextRoot = "/Jnet-WS", authMethod = "BASIC", transportGuarantee = "NONE", secureWSDLAccess = true)
      public class EmployeeManagerWSBean implements EmployeeManagerWS {
      



      Any views on my approach and the best way to go about this?


      Thanks


      Tom

        • 1. Re: Seam JAAS WebServices
          Tom Goring Apprentice

          Ok, maybe this will make things a bit clearer....


          I have a seam app working fine with a login page and restricted pages, etc, etc.


          I want to expose a webservice and I want to use HTTP Basic authentication.  As per Jboss WIKI


          Here is my WS:



          @Stateless
          @WebService(name="EmployeeManagerWS",serviceName="EmployeeManagerWS")
          @WebContext(contextRoot = "/Jnet-WS", authMethod = "BASIC", transportGuarantee = "NONE", secureWSDLAccess = true)
          @Name("employeeManagerWS")
          public class EmployeeManagerWSBean implements EmployeeManagerWS {
          



          when I view the wsdl I get a dialog asking for username/password (great).  But then the stack trace :(


          Why is the SeamLoginComponent not being called for this?  I though the default JAAS security module would be used for the app (which has been set as the seam one by seam).


          09:14:37,263 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
          java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
               at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
               at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
               at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
               at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
               at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)