9 Replies Latest reply on Apr 29, 2013 10:43 AM by dlofthouse Branched from an earlier discussion.

    @DenyAll on EJB methods

      I have the specific problem, that I put @DenyAll to the methods, but the container doesn't deny the access to that methods. Did you find any solution to that?

        • 1. Re: @DenyAll on EJB methods
          jaikiran

          Which version of JBoss AS? What does your bean code look like and how are you invoking it?

          • 2. Re: @DenyAll on EJB methods

            I'm using jboss-as-7.1.1.Final

             

            I have web service:

             

            package edu.vi.service;

             

             

            import javax.annotation.security.DenyAll;

            import javax.annotation.security.RolesAllowed;

            import javax.jws.WebMethod;

            import javax.jws.WebService;

            import org.jboss.security.annotation.SecurityDomain;

             

             

             

             

            @WebService

            @SecurityDomain("JbosWS")

            @DenyAll

            public class ServiceImpl {

               

                @WebMethod

                @RolesAllowed("Admin")

                public String saludo(String nombre){

                    System.out.println("Hola "+nombre+"!!!");

                    return "Hola "+nombre+"!!!";

                }

               

                @WebMethod

                public String despedida(String nombre){

                    System.out.println("Chao "+nombre+"!!!");

                    return "Chao "+nombre+"!!!";

                }

               

            }

             

             

            My security domain is configured:

             

            <security-domain name="JBossWS">

                                <authentication>

                                    <login-module code="UsersRoles" flag="required">

                                        <module-option name="usersProperties" value="${jboss.server.config.dir}/jbossws-users.properties"/>

                                        <module-option name="rolesProperties" value="${jboss.server.config.dir}/jbossws-roles.properties"/>

                                        <module-option name="unauthenticatedIdentity" value="anonymous"/>

                                    </login-module>

                                </authentication>

                            </security-domain>

             

             

            My jbossws-users.properties:

            kermit=thefrog

            paul=condori

             

            my jbossws-roles.properties

            kermit=Admin

            paul=Guest

             

            The web.xml

             

            <?xml version="1.0" encoding="UTF-8"?>

             

             

            <web-app xmlns="http://java.sun.com/xml/ns/javaee"

                       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                       xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"

                       version="3.0">

               

                <servlet>

                    <servlet-name>HelloService</servlet-name>

                    <servlet-class>edu.vi.service.ServiceImpl</servlet-class>

                </servlet>

               

                <servlet-mapping>

                    <servlet-name>HelloService</servlet-name>

                    <url-pattern>/hello</url-pattern>

                </servlet-mapping>

               

                <security-constraint>

                    <web-resource-collection>

                        <web-resource-name>WRCollection</web-resource-name>

                        <url-pattern>/hello</url-pattern>

                    </web-resource-collection>

                    <auth-constraint>

                        <role-name>Admin</role-name>

                    </auth-constraint>

                </security-constraint>

               

                <security-role>

                   <role-name>Admin</role-name>

                </security-role>

                <security-role>

                   <role-name>Guest</role-name>

                </security-role>

             

             

                <login-config>

                    <auth-method>BASIC</auth-method>

                </login-config>

             

             

               

            </web-app>

             

             

            The jboss-web.xml

            <?xml version="1.0" encoding="UTF-8"?>

            <jboss-web>

              <security-domain>java:/jaas/JBossWS</security-domain>

              <context-root>/JbossWSE7</context-root>

            </jboss-web>

             

             

            And my client is:

             

            package jbosswse7client;

              import edu.vi.service.ServiceImpl;

            import edu.vi.service.ServiceImplService;

            import javax.xml.ws.BindingProvider;

             

            public class JbossWSE7Client {

                public static void main(String[] args) {

                    ServiceImplService service = new ServiceImplService();

                    ServiceImpl port = service.getServiceImplPort();

                   

                    ((BindingProvider)port).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "kermit");

                    ((BindingProvider)port).getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "thefrog");

             

             

                    System.out.println(port.saludo("JERSON"));

                    System.out.println(port.despedida("JERSON"));

                }

            }

             

             

             

            An the output when i run the client is:

             

            #Hola JERSON

            #Chao JERSON

             

             

            It supposed to throw an Exception when call port.despedida("JERSON") becasue is Deny. What could be the problem?

            • 3. Re: @DenyAll on EJB methods
              jaikiran

              I don't see a EJB anywhere in there. This looks like a WebService question. I don't have enough knowledge about how security is specified/implemented for webservices which aren't backed by EJBs. I'll see if someone from the WS team can take a look at this.

              • 4. Re: @DenyAll on EJB methods
                sfcoy

                Is this:

                {code:java}@SecurityDomain("JbosWS"){code}

                 

                a typo?

                • 5. Re: @DenyAll on EJB methods

                  Stephen:

                  A security domain!

                   

                  In standalone.xml, I configured:

                   

                  <security-domain name="JBossWS">

                                      <authentication>

                                          <login-module code="UsersRoles" flag="required">

                                              <module-option name="usersProperties" value="${jboss.server.config.dir}/jbossws-users.properties"/>

                                              <module-option name="rolesProperties" value="${jboss.server.config.dir}/jbossws-roles.properties"/>

                                              <module-option name="unauthenticatedIdentity" value="anonymous"/>

                                          </login-module>

                                      </authentication>

                                  </security-domain>

                  So I put the annotation, in order to my application autenthicated with this security domain and no other.

                   

                  Jaikiran:

                  That really happen me in all levels, the last I probed was a web service, but if I implement an EJB or a simple Servlet, it work in the same way, ignoring the @DenyAll anotation or @Deny or @RolesAllowed

                  • 6. Re: @DenyAll on EJB methods
                    sfcoy

                    Look closer.

                     

                    "JbosWS"?

                    • 7. Re: @DenyAll on EJB methods

                      you right!!

                      I made the correction:

                       

                      @WebService

                      @SecurityDomain("JBossWS")

                      @DenyAll

                      public class ServiceImpl {

                         

                          @WebMethod

                          @RolesAllowed("Admin")

                          public String saludo(String nombre){

                              System.out.println("Hola "+nombre+"!!!");

                              return "Hola "+nombre+"!!!";

                          }

                         

                          @WebMethod

                          public String despedida(String nombre){

                              System.out.println("Chao "+nombre+"!!!");

                              return "Chao "+nombre+"!!!";

                          }

                         

                      }

                       

                       

                      But it works in the same way, ignoring the @DenyAll anotation!

                      • 8. Re: @DenyAll on EJB methods
                        sfcoy

                        Well, I think it should work.

                         

                        However, the specs (even in JEE7) are kind of vague about it, simply saying that the "EJB" and "Web" containers must support them, without mentioning which managed objects this would include. To muddy the water even further, the Servlet 3.0 spec added in explicit support and then removed it again following the public review phase.

                         

                        The WildFly source base only contains a test for EJB style web services that use these annotations.

                        • 9. Re: @DenyAll on EJB methods
                          dlofthouse

                          I think you have the wrong @SecurityDomain annotation, can you try switching to the one in the package 'org.jboss.ejb3.annotation'.