1 Reply Latest reply on Jun 3, 2008 11:21 AM by tom_goring

    Seam JAAS WebServices

    tom_goring
    tom_goring Jun 2, 2008 6:03 PM

      Hi,


      I would like advise on how best to secure my web services. 


      I don't like the idea of writing a web method login call (as per seam manual) as I would like to use standard JAAS secuirty and something like authMethod = BASIC authentication (over SSL).  I want my WS client to be unaware of converstation id's etc (I.e. a plain stateless WS client).  I want the WS calls to be as standard as possible.


      So what I want (i think) is to use standard JAAS security for my WS calls and existing Seam security for my Web-app.  However my WS EJB layer will be calling down to SEAM components that will need the Seam context's etc available.


      E.g.



      @Stateless
@WebService(name="EmployeeManagerWS", serviceName="EmployeeManagerWS")
@RolesAllowed("Developer")
@SecurityDomain("JnetJaasDbRealm")
@WebContext(contextRoot = "/Jnet-WS", authMethod = "BASIC", transportGuarantee = "NONE", secureWSDLAccess = true)
public class EmployeeManagerWSBean implements EmployeeManagerWS {



      Any views on my approach and the best way to go about this?


      Thanks


      Tom

      • 216 Views
      • Tags:
        • 1. Re: Seam JAAS WebServices
          tom_goring
          tom_goring Jun 3, 2008 11:21 AM (in response to tom_goring)

          Ok, maybe this will make things a bit clearer....


          I have a seam app working fine with a login page and restricted pages, etc, etc.


          I want to expose a webservice and I want to use HTTP Basic authentication.  As per Jboss WIKI


          Here is my WS:



          @Stateless
@WebService(name="EmployeeManagerWS",serviceName="EmployeeManagerWS")
@WebContext(contextRoot = "/Jnet-WS", authMethod = "BASIC", transportGuarantee = "NONE", secureWSDLAccess = true)
@Name("employeeManagerWS")
public class EmployeeManagerWSBean implements EmployeeManagerWS {



          when I view the wsdl I get a dialog asking for username/password (great).  But then the stack trace :(


          Why is the SeamLoginComponent not being called for this?  I though the default JAAS security module would be used for the app (which has been set as the seam one by seam).


          09:14:37,263 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
     at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
     at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
     at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
     at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)








            • Actions