3 Replies Latest reply on May 8, 2014 10:08 AM by Leonardo Moretti

    JBossWS-CXF - Unexpected authorization check when calling an unprotected resource

    Luca Pedriali Newbie

      When calling a resource defined inside a war, where no authorization annotations on the service and no security constraints on the web.xml have been defined, I obtain the following stackTrace error:

       

      Caused by: javax.ejb.EJBAccessException: Invalid User

      at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:161) [:1.7.21]

      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]

      at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41) [:1.7.21]

      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]

      at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67) [:1.7.21]

      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]

      at org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:47) [1.7.21]

      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]

      at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67) [:1.0.1]

      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]

      at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86) [:1.7.21]

      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]

      at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:272) [:1.7.21]

      at org.jboss.ejb3.stateless.StatelessContainer.invokeEndpoint(StatelessContainer.java:617) [:1.7.21]

      at org.jboss.webservices.integration.invocation.InvocationHandlerEJB3.invoke(InvocationHandlerEJB3.java:137) [:6.1.0.Final]

      at org.jboss.wsf.stack.cxf.AbstractInvoker._invokeInternal(AbstractInvoker.java:164) [:3.4.1.GA]

      ... 38 more

       

      I just define a security domain in a jboss-app.xml in the META-INF folder of my ear.

       

      The application package configuration is:

       

      1. myEar.ear

        |

      |--META-INF

      |           |

      |           |-application.xml

      | |-jboss.app.xml

        |

      |---lib

      |

      |--myJar.jar

      |--myWar.war

      |

      |---------WEB-INF

        |

        |-resources.jar

        |-web.xml

       

      My jboss-app.xml is:

      <?xml version="1.0" encoding="UTF-8"?>

      <jboss-app>

      <security-domain>myDomain</security-domain>

      </jboss-app>

       

      myDomain refers to an application-policy defined in the login-config.xml file, containing a custom login module.

       

      Why security is involved during this process, even if not security constraints have been defined? I'm using JBoss 6.1.0.Final