5 Replies Latest reply on Nov 5, 2008 2:00 PM by Peter Johnson

    How to disable login+password popup when calling JBossWS in

    thoste Newbie

      When I call JBossWS in browser on a certain machine by entering:

      http://127.0.0.1:8080/jbossws/

      then a popup appears prompting me for username and login.

      This security dialog does NOT appear in other installations of JBossAS + JBossWS

      How do I

      a) disable this popup (and allow always a connect/browsing)

      or

      b) enter the username+password in a (which ?) config xml file
      which in turn is AUTOMATICALLY used in the future for login?

      Thomas

        • 1. Re: How to disable login+password popup when calling JBossWS
          jaikiran pai Master

          If you see such a pop-up, it indicates that someone has intentionally configured the application to be secure. So only restricted set of users can login to the application. So if you want to access the application, you will have to contact the admin to get the username/password.


          b) enter the username+password in a (which ?) config xml file
          which in turn is AUTOMATICALLY used in the future for login?


          It depends on the login module that is used for the authentication. It can even be a database instead of properties file.

          • 2. Re: How to disable login+password popup when calling JBossWS
            Peter Johnson Master

            What version of JBossAS are you using? Or are you using JBoss EAP? That might explain why you are being asked to log in on localhost but other installations are nor requiring this.

            • 3. Re: How to disable login+password popup when calling JBossWS
              thoste Newbie

               

              "PeterJ" wrote:
              What version of JBossAS are you using? Or are you using JBoss EAP? That might explain why you are being asked to log in on localhost but other installations are nor requiring this.


              Yes, I am working with JBoss EAP from JBoss Development Studio.

              Why is JBoss EAP different from "normal JBoss AS" ?

              Again: How can I suppress user+pw prompt (for JBoss EAP) ?

              • 4. Re: How to disable login+password popup when calling JBossWS
                Peter Johnson Master

                JBoss EAP comes with a readme.html file that highlights the differences between AS and EAP. Wait, the EAP binary download doesn't have the readme; instead it is in the docs download. In that file you will see this text:

                readme wrote:
                If you are using the rpm, or the zip distribution, please note that by default, authentication is enabled and no user accounts are set up. This is done to prevent unauthorized access to various services of JBoss AS. Please refer to the Installation Guide, or see http://kbase.redhat.com/faq/FAQ_107_9963.shtm for information on how to make the services accessible again.


                Thus, EAP is locked down. Not only are all of the services secured, but there is no way to log in to any of them.

                I just now installed devstudio. It doesn't contain this readme. How convenient. But looking at some key files it appears that the version of EAP that comes with devstudio is not locked down. I guess this makes sense because this version of EAP is meant for development use.

                However, the /jbossws context is still locked down. Curious. I guess they forgot to unlock it. Anyway, edit the server/xxx/deploy/jbossws.sar/jbossws-context.war/WEB-INF/jboss-web.xml file, commenting out the security-domain:

                <jboss-web>
                 <!-- A security domain that restricts access
                 <security-domain>java:/jaas/jmx-console</security-domain>
                 -->
                 <context-root>jbossws</context-root>
                </jboss-web>


                • 5. Re: How to disable login+password popup when calling JBossWS
                  Peter Johnson Master

                  Posted too soon, you also need to edit the web.xml file in the same directory, commenting out the security-constraint:

                   <!-- A security constraint that restricts access
                   <security-constraint>
                   <web-resource-collection>
                   <web-resource-name>jbossws</web-resource-name>
                   <description>Security configuration that only allows users with the
                   role 'JBossAdmin' to access the JBossWS console web application
                   </description>
                   <url-pattern>/*</url-pattern>
                   <http-method>GET</http-method>
                   <http-method>POST</http-method>
                   </web-resource-collection>
                   <auth-constraint>
                   <role-name>JBossAdmin</role-name>
                   </auth-constraint>
                   </security-constraint>
                   -->