2 Replies Latest reply on Jan 27, 2015 6:13 AM by Jakub Grabowski

    Authentication bug on one-way JAX-WS methods

    Jakub Grabowski Newbie

      Hi,

       

      I wanted to discuss this issue with you before I file a bug in JIRA. Recently we've migrated quite large application from Glassfish 3 to Wildfly 8.2. In general it works ok, but I encountered strange issue.

       

      Here are some details:

      1. Application is EAR with two modules - WAR and EJB.

      2. Both modules are using same security domain with LdapExtended module.

      3. We have several webservices using JAX-WS. They follow WSDL to Java pattern where maven plugin generates interface that's implemented as stateless ejb.

      4. In one of our webservices we are using consistent authorization requirement - @RolesAllowed is set on component level. There's also @WebContext(authMethod="BASIC") annotation there.

       

      Now the problem:

      1. For two-way methods basic authentication and autorization works fine. User is authenticated with LDAP module and gets proper role that autorizes invocation. It works just fine. By two-way method I mean method with input and output message defined in WSDL.

      2. For one-way methods (return type void) user is not authenticated properly. It results in denial of method invocation.

      3. When I remove @RolesAllowed declaration I can see that for two-way methods authentication is correct (pricipal is set to logged user), but for one-way it's not - I get "anonymous" as principal.

      4. When I change one-way method to have input and output messages defined in WSDL and update implementation accordingly it suprisingly starts to work as expected.

       

      Have you noticed simillar problems?

       

      Thanks in advance for help.

       

      Regards,

      Jakub Grabowski.