2 Replies Latest reply on Jun 8, 2015 6:10 AM by Dmitry Lisovsky

    LocalBean WebService EJB - Security

    vasekt Newbie

      Hi,

       

      I'm quite new to Wildfly - trying to migrate from Glassfish.

      I am having issues with one of my apps - the App is EAR - and it won't start saying

       

      2014-04-30 13:07:37,429 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-9) MSC000001: Failed to start service jboss.deployment.subunit."WFAuth-EA.ear"."WFAuthAdminWS-ejb.jar".INSTALL: org.jboss.msc.service.StartException in service jboss.deployment.subunit."WFAuth-EA.ear"."WFAuthAdminWS-ejb.jar".INSTALL: JBAS018733: Failed to process phase INSTALL of subdeployment "WFAuthAdminWS-ejb.jar" of deployment "WFAuth-EA.ear"

              at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:166) [wildfly-server-8.0.0.Final.jar:8.0.0.Final]

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.0.Final.jar:1.2.0.Final]

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.0.Final.jar:1.2.0.Final]

              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]

              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]

              at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]

      Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: JBAS011030: Could not configure component PersonBean

              at org.jboss.as.ee.component.deployers.EEModuleConfigurationProcessor.deploy(EEModuleConfigurationProcessor.java:95)

              at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:159) [wildfly-server-8.0.0.Final.jar:8.0.0.Final]

              ... 5 more

      Caused by: java.lang.NullPointerException

              at org.jboss.as.ejb3.security.EJBSecurityViewConfigurator.handlePermissions(EJBSecurityViewConfigurator.java:211)

              at org.jboss.as.ejb3.security.EJBSecurityViewConfigurator.configure(EJBSecurityViewConfigurator.java:119)

              at org.jboss.as.ee.component.DefaultComponentViewConfigurator.configure(DefaultComponentViewConfigurator.java:68)

              at org.jboss.as.ee.component.deployers.EEModuleConfigurationProcessor.deploy(EEModuleConfigurationProcessor.java:81)

              ... 6 more


      This is my annotation at PersonBean:


      @Stateless

      @LocalBean

      @WebService( serviceName="PersonWSService", name="PersonWS" )

      @DeclareRoles( {"useradmin"} )

      @RolesAllowed( {"useradmin"} )

      public class PersonBean

       

      And jboss-app.xml:

       

      <!DOCTYPE jboss-app PUBLIC

          "-//JBoss//DTD J2EE Application 5.0//EN"

          "http://www.jboss.org/j2ee/dtd/jboss-app_5_0.dtd">

      <jboss-app >

          <security-domain>AccessRules</security-domain>

         

          <security-role>

              <role-name>person</role-name>

              <principal-name>person</principal-name>

          </security-role>

         

          <security-role>

              <role-name>useradmin</role-name>

              <principal-name>useradmin</principal-name>

          </security-role>

         

      </jboss-app>

       

       

      I tried a lot of things like however didn't manage to make it work. I tried Wildfly 8.0.0 Final and 8.1.0 CR1 . With no idea what is wrong I checked the source code of  org.jboss.as.ejb3.security.EJBSecurityViewConfigurator.java to see what is happening there, and I found this in configure method which seems to be related to my case

       

      // The way @WebService view integrates with EJBs is tricky. It marks the fully qualified bean class name as the view name of the service endpoint. Now, if that bean also has a @LocalBean (i.e. no-interface view)

      // then we now have 2 views with the same view name. In such cases, it's fine to skip one of those views and register this service only once, since essentially, the service is expected to return the same data

      // for both these views. So here we skip the @WebService view if the bean also has a @LocalBean (no-interface) view and let the EJBViewMethodSecurityAttributesService be built when the no-interface view is processed

      if (ejbComponentDescription instanceof SessionBeanComponentDescription && MethodIntf.SERVICE_ENDPOINT == ejbViewDescription.getMethodIntf() && ((SessionBeanComponentDescription) ejbComponentDescription).hasNoInterfaceView()) {

          viewMethodSecurityAttributesServiceBuilder = null;

          viewMethodSecurityAttributesServiceName = null;

      }

       

      So there's viewMethodSecurityAttributesServiceBuilder set to null but later there is a handlePermission call with viewMethodSecurityAttributesServiceBuilder parameter which causes the NullPointerException

       

      The question is: is there a bug with Securing @WebService @LocalBean or am I doing something wrong?

      Is anybody able to get secured @WebService @LocalBean working?

       

      Thanks