14 Replies Latest reply on Sep 11, 2008 2:04 AM by Richard Opalka

    WS4EE and AS5

    Anil Saldanha Master

      I am trying to understand how JBossWS handles WS4EE for AS5. In the AS5 test suite, there is a test called as
      "org.jboss.test.webservice.jbws309.JBWS309TestCase".

      Now if you try to run this test against AS5 (no need for JACC configuration etc), I see that JBossWS is trying to deploy a web application for ejb based WS. This web application would be the entry point for the WS apps.

      Do you still dynamically generate the web.xml/jboss-web.xml?

        • 1. Re: WS4EE and AS5
          Anil Saldanha Master

           

          15:29:39,695 WARN [MainDeployer] undeploy 'file:/home/anil/jboss-5.0/jboss-head/testsuite/output/lib/ws4ee-jbws309.jar' : package not deployed
          15:29:39,695 INFO [MainDeployer] deploy, url=file:/home/anil/jboss-5.0/jboss-head/testsuite/output/lib/ws4ee-jbws309.jar
          15:29:40,269 WARN [CollectionPropertyHandler] ClassInfo.getDeclaredConstructor(null) didn't work for org.jboss.metadata.ejb.spec.InterceptorClassesMetaData, found the default ctor in ClassInfo.getDeclaredConstructors()
          15:29:41,231 INFO [EjbDeployer] installing bean: ejb/#BasicSecuredSLSB,uid1353625448
          15:29:41,231 INFO [EjbDeployer] with dependencies:
          15:29:41,231 INFO [EjbDeployer] and supplies:
          15:29:41,231 INFO [EjbDeployer] jndi:ejb/BasicSecuredSLSB
          15:29:41,231 INFO [EjbDeployer] installing bean: ejb/#RoleSecuredSLSB,uid644541754
          15:29:41,232 INFO [EjbDeployer] with dependencies:
          15:29:41,232 INFO [EjbDeployer] and supplies:
          15:29:41,232 INFO [EjbDeployer] jndi:ejb/RoleSecuredSLSB
          15:29:41,374 INFO [DefaultEndpointRegistry] register: jboss.ws:context=ws4ee-jbws309,endpoint=RoleSecuredSLSB
          15:29:41,377 INFO [DefaultEndpointRegistry] register: jboss.ws:context=ws4ee-jbws309,endpoint=BasicSecuredSLSB
          15:29:41,954 INFO [WSDLFilePublisher] WSDL published to: file:/home/anil/jboss-5.0/jboss-head/build/output/jboss-5.0.0.CR1/server/jacc/data/wsdl/ws4ee-jbws309.jar/OrganizationService.wsdl
          15:29:42,134 INFO [EjbModule] Deploying BasicSecuredSLSB
          15:29:42,283 INFO [EjbModule] Deploying RoleSecuredSLSB
          15:29:42,443 INFO [ProxyFactory] Bound EJB Home 'BasicSecuredSLSB' to jndi 'ejb/BasicSecuredSLSB'
          15:29:42,454 INFO [ProxyFactory] Bound EJB Home 'RoleSecuredSLSB' to jndi 'ejb/RoleSecuredSLSB'
          15:29:42,460 INFO [TomcatDeployment] deploy, ctxPath=/ws4ee-jbws309, vfsUrl=
          15:29:42,478 WARN [config] Unable to process deployment descriptor for context '/ws4ee-jbws309'
          15:29:43,351 WARN [MainDeployer] undeploy 'file:/home/anil/jboss-5.0/jboss-head/testsuite/output/lib/ws4ee-jbws309-client.jar' : package not deployed
          15:29:43,352 INFO [MainDeployer] deploy, url=file:/home/anil/jboss-5.0/jboss-head/testsuite/output/lib/ws4ee-jbws309-client.jar
          15:29:43,564 INFO [NativeServiceRefBinderJAXRPC] setupServiceRef [jndi=ws4ee-client/env/service/BasicSecured]
          15:29:43,578 INFO [NativeServiceRefBinderJAXRPC] setupServiceRef [jndi=ws4ee-client/env/service/RoleSecured]
          15:29:43,581 INFO [JBossASKernel] Created KernelDeployment for: ws4ee-jbws309-client.jar
          15:29:43,587 INFO [JBossASKernel] installing bean: jboss.j2ee:jar=ws4ee-jbws309-client.jar,name=ws4ee-client,service=EJB3
          15:29:43,587 INFO [JBossASKernel] with dependencies:
          15:29:43,587 INFO [JBossASKernel] and demands:
          15:29:43,588 INFO [JBossASKernel] and supplies:
          15:29:43,588 INFO [JBossASKernel] Added bean(jboss.j2ee:jar=ws4ee-jbws309-client.jar,name=ws4ee-client,service=EJB3) to KernelDeployment of: ws4ee-jbws309-client.jar
          15:29:43,635 INFO [ClientENCInjectionContainer] STARTED CLIENT ENC CONTAINER: ws4ee-client
          15:29:45,646 INFO [ClientENCInjectionContainer] STOPPED CLIENT ENC CONTAINER: ws4ee-client
          15:29:45,703 INFO [TomcatDeployment] undeploy, ctxPath=/ws4ee-jbws309, vfsUrl=
          15:29:45,731 INFO [ProxyFactory] Unbind EJB Home 'RoleSecuredSLSB' from jndi 'ejb/RoleSecuredSLSB'
          15:29:45,733 INFO [EjbModule] Undeployed RoleSecuredSLSB
          15:29:45,736 INFO [ProxyFactory] Unbind EJB Home 'BasicSecuredSLSB' from jndi 'ejb/BasicSecuredSLSB'
          15:29:45,740 INFO [EjbModule] Undeployed BasicSecuredSLSB
          15:29:45,751 INFO [DefaultEndpointRegistry] remove: jboss.ws:context=ws4ee-jbws309,endpoint=RoleSecuredSLSB
          15:29:45,766 INFO [DefaultEndpointRegistry] remove: jboss.ws:context=ws4ee-jbws309,endpoint=BasicSecuredSLSB
          


          As you can see, I am not sure if Tomcat is really deploying the ws4ee-jbws309.war properly

          • 2. Re: WS4EE and AS5
            Richard Opalka Master

             

            "anil.saldhana@jboss.com" wrote:

            I see that JBossWS is trying to deploy a web application for ejb based WS. This web application would be the entry point for the WS apps.

            Do you still dynamically generate the web.xml/jboss-web.xml?

            Yes, we still dynamically generate web.xml/jboss-web.xml for EJB endpoints.

            • 3. Re: WS4EE and AS5
              Anil Saldanha Master

              Is that statement really true? You generate web.xml/jboss-web.xml or you generate the JBossWebMetaData directly?

              • 4. Re: WS4EE and AS5
                Scott Stark Master

                The issue in jbossas5 is that unless the descriptor is generated before the parsing deployers execute, its not going to be used, at least properly. I think we still have duplicate descriptor parsing going on from legacy tomcat behavior, but I'm not sure since the JBAS-5144 changes.

                • 5. Re: WS4EE and AS5
                  Richard Opalka Master

                  We generate web.xml/jboss-web.xml for JBoss AS 5 Beta 4 and we generate JBossWebMetaData for JBoss AS 5 trunk.

                  • 6. Re: WS4EE and AS5
                    Alessio Soldano Master

                    I've taken a look at the failing tests (with JACC server conf). I confirm that on AS5 trunk jbossws currently generates JBossWebMetaData and attaches it to the deployment unit.

                    2008-08-20 12:07:01,625 DEBUG [org.jboss.web.tomcat.service.deployers.TomcatDeployer] (RMI TCP Connection(5)-127.0.0.1) Begin deploy, org.jboss.metadata.web.jboss.JBossWebMetaData@1f
                    2008-08-20 12:07:01,625 DEBUG [org.jboss.web.tomcat.service.deployers.TomcatDeployer] (RMI TCP Connection(5)-127.0.0.1) Unpacking war to: /home/alessio/dati/jboss-5.0-src/build/output/jboss-5.0.0.CR2/server/jacc/tmp/deploy/ws4ee-jbws309.jar23188-exp.war
                    
                    ...
                    
                    2008-08-20 12:07:01,674 DEBUG [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (RMI TCP Connection(5)-127.0.0.1) Linked java:comp/UserTransaction to JNDI name: UserTransaction
                    2008-08-20 12:07:01,674 DEBUG [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (RMI TCP Connection(5)-127.0.0.1) linkSecurityDomain
                    2008-08-20 12:07:01,674 DEBUG [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (RMI TCP Connection(5)-127.0.0.1) Linking security/securityMgr to JNDI name: java:/jaas/JBossWS
                    2008-08-20 12:07:01,675 DEBUG [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (RMI TCP Connection(5)-127.0.0.1) injectionContainer enabled and processing beginning
                    
                    ...
                    
                    2008-08-20 12:07:02,755 DEBUG [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (RMI TCP Connection(5)-127.0.0.1) Initialized: {WebApplication: /home/alessio/dati/jboss-5.0-src/build/output/jboss-5.0.0.CR2/server/jacc/tmp/deploy/ws4ee-jbws309.jar23188-exp.war/, URL: file:/home/alessio/dati/jboss-5.0-src/build/output/jboss-5.0.0.CR2/server/jacc/tmp/deploy/ws4ee-jbws309.jar23188-exp.war/, classLoader: BaseClassLoader@2abdb{vfszip:/home/alessio/dati/jboss-5.0-src/testsuite/output/lib/ws4ee-jbws309.jar}:175067} jboss.web:j2eeType=WebModule,name=//localhost/ws4ee-jbws309,J2EEApplication=none,J2EEServer=none
                    


                    In the 3 failing tests the call is not authorized by the JBossAuthorizationContext, but looking at the messages that go on the wire, I see an HTTP/1.1 200 OK coming back as a reply to the POST request with the SOAP message. I think that's why an exception is not raised on client side and the tests fail with the "Security exception expected" message and the "Premature end of file" complaint. The jbossws endpoint servlet is not called.

                    Please note that it seems to me the ws calls are rejected in the same way even when using the right principal/credential.

                    • 7. Re: WS4EE and AS5
                      Stefan Guilhen Apprentice

                      Alessio is right when he says the endpoint servlet is not called. Running the tests with TRACE enabled for org.jboss.security shows us the following:

                      2008-08-26 14:30:19,078 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.JACCAuthorizationModule:{}required}is:[required]
                      2008-08-26 14:30:19,079 TRACE [org.jboss.security.authorization.modules.web.WebJACCPolicyModuleDelegate] (http-127.0.0.1-8080-1) resourceCheck=false : userDataCheck=true : roleRefCheck=false
                      2008-08-26 14:30:19,080 TRACE [org.jboss.security.authorization.modules.web.WebJACCPolicyModuleDelegate] (http-127.0.0.1-8080-1) hasUserDataPermission, p=(javax.security.jacc.WebUserDataPermission / POST)
                      2008-08-26 14:30:19,080 TRACE [org.jboss.security.jacc.ContextPolicy] (http-127.0.0.1-8080-1) No principals found in domain: ProtectionDomain null
                       null
                       <no principals>
                       java.security.Permissions@1ed6d94 (
                       (javax.security.jacc.EJBMethodPermission RoleSecuredSLSB)[*:*()]
                       (javax.security.jacc.EJBMethodPermission BasicSecuredSLSB)[*:*()]
                       [RoleSecuredSLSB,role-ref=friend]
                      )
                      
                      
                      2008-08-26 14:30:19,080 TRACE [org.jboss.security.jacc.DelegatingPolicy] (http-127.0.0.1-8080-1) implied=false
                      2008-08-26 14:30:19,080 TRACE [org.jboss.security.authorization.modules.web.WebJACCPolicyModuleDelegate] (http-127.0.0.1-8080-1) Denied: (javax.security.jacc.WebUserDataPermission / POST)
                      2008-08-26 14:30:19,080 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-1) Error in authorize:
                      org.jboss.security.authorization.AuthorizationException: Authorization Failed:Denied.
                       at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:268)
                       at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67)
                       at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:153)
                       at java.security.AccessController.doPrivileged(Native Method)
                       at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:149)
                       at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:455)
                       at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:121)
                       at org.jboss.security.plugins.javaee.WebAuthorizationHelper.hasUserDataPermission(WebAuthorizationHelper.java:179)
                       at org.jboss.web.tomcat.security.JBossWebRealm.hasUserDataPermission(JBossWebRealm.java:614)
                       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:461)
                       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:90)
                       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:96)
                       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
                       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:325)
                       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
                       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
                       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
                       at java.lang.Thread.run(Thread.java:595)
                      2008-08-26 14:30:19,080 TRACE [org.jboss.security.plugins.javaee.WebAuthorizationHelper] (http-127.0.0.1-8080-1) hasRole check failed:Authorization Failed:Denied.
                      


                      As we can see, JBossAuthorizationContext doesn't grant access to the endpoint servlet. So, either we have an incomplete policy or we are inappropriately performing authorization checks on this servlet.


                      Please note that it seems to me the ws calls are rejected in the same way even when using the right principal/credential


                      You are probably right here. The tests would fail even when using the right authentication info because access to the endpoint servlet would be rejected anyway.

                      • 8. Re: WS4EE and AS5
                        Anil Saldanha Master

                         

                        "richard.opalka@jboss.com" wrote:
                        We generate web.xml/jboss-web.xml for JBoss AS 5 Beta 4 and we generate JBossWebMetaData for JBoss AS 5 trunk.


                        JACC permissions are created based on the JBossWebMetaData. So I am suspecting that it seems to be some type of a timing issue that the WS processing (dynamic generation/metadata population) is happening after the Security Deployer that works on the metadata.

                        • 9. Re: WS4EE and AS5
                          Anil Saldanha Master

                          On the client side (testsuite), I see in the logs:

                          2008-09-08 10:49:39,078 ERROR [org.jboss.ws.core.jaxrpc.client.ServiceObjectFactoryJAXRPC] Cannot create service
                          javax.naming.NamingException: Cannot unmarshall service ref meta data [Root exception is java.io.IOException: unknown protocol: vfszip]
                           at org.jboss.ws.core.jaxrpc.client.ServiceObjectFactoryJAXRPC.getObjectInstance(ServiceObjectFactoryJAXRPC.java:120)
                           at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:304)
                           at org.jnp.interfaces.NamingContext.getObjectInstance(NamingContext.java:1315)
                           at org.jnp.interfaces.NamingContext.getObjectInstanceWrapFailure(NamingContext.java:1332)
                           at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:765)
                           at org.jboss.naming.client.java.javaURLContextFactory$EncContextProxy.invoke(javaURLContextFactory.java:153)
                           at $Proxy4.lookup(Unknown Source)
                           at javax.naming.InitialContext.lookup(InitialContext.java:351)
                           at org.jboss.test.webservice.jbws309.JBWS309TestCase.testRoleSecuredServiceAccess(JBWS309TestCase.java:173)
                          
                          


                          Is this exception a cause for concern?

                          UPDATE: I think this is probably important:
                           InitialContext iniCtx = getClientContext();
                           Service service = (Service)iniCtx.lookup("java:comp/env/service/RoleSecured");
                          


                          • 10. Re: WS4EE and AS5
                            Anil Saldanha Master

                            Please ignore my last stacktrace.

                            • 12. Re: WS4EE and AS5
                              Anil Saldanha Master

                              Please, can the JBossWS team take a look at what the issue is with JBossWS and JDK6?
                              http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4175594

                              • 14. Re: WS4EE and AS5
                                Richard Opalka Master

                                Updated instructions are:

                                Copy the following jars to ${JBOSS_HOME}/lib/endorsed from JBossWS-Dist/lib (since 3.0.2 version):


                                jaxb-api.jar
                                jbossws-native-jaxrpc.jar
                                jbossws-native-jaxws.jar
                                jbossws-native-jaxws-ext.jar
                                jbossws-native-saaj.jar


                                We're successfully testing JBossWS against JDK6 on regular basis.