Hint: Some web service implementations, such as the M$ Soap Toolkit do not
send basic authentication data until the server will present them a 401 message.
To ensure that the JBossAuthenticationHandler will not route an unauthenticated
call with a "null" security association further down the line, but notify
the client, you should set the "validateUnauthenticatedCalls"
option to "false". See
Neal Sanches investigations about that topic.
The default is that unauthenticated calls are routed through with a null association. How do you implement role checking? Through ejb-security or JBossAuthorizationHandler?
Thanks for your reply, CGJ.
I am doing role checking through JBossAuthorizationHandler.
After a bit more research I was able to get it to work. I tried setting validateUnauthenticatedCalls option to "false", as in the reference you provided, but it didnt work. I couldnt find any documentation on that option, but a web search led me to this, which described it differently, indicating I should set the option to "true":
"By specifiying the
validateUnauthenticatedCalls=true option, the
handler will however try to interface the
securityManager with the NobodyPrincipal and an
empty password and ask for a proper security
association. This is important when dealing with
MS Clients (thanks to John Landers for pointing
this out) that wonÂ´t send any authentication data
if not confronted with an HTTP error on the first try."
(found in google cache, original doc was gone)
So I set it to true and it worked... the initial unauthorized HTTP request returned a "401 Unauthorized" response, prompting the client to supply the user/password.
So it works, at least for now.... however, this comment in the "Neal Sanches investigations" reference is a little worrysome:
"Another UPDATE: I have been contacted by Frank
Heldt who let me know that JBoss 3.2.2 breaks the
I am using 3.2.1... I guess I wont be upgrading!
Thanks again for your help!