6 Replies Latest reply on Nov 17, 2004 2:47 PM by Marco Antonio Villalobos, Jr.

    Principal = null

    Marco Antonio Villalobos, Jr. Newbie

      I converted a stateless session bean into a web service.
      My deployment descriptor states that the security method permissions
      are unchecked for this stateless session bean.

      My jboss.xml does associate a security domain with this J2EE app.

      When I attempt to access my web service, I get the following error message:

      Caused by: javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
      Authentication exception, principal=null

      Any suggestions on how I solve this issue?

      Thank you.

        • 1. Re: Principal = null
          Jason Greene Master

          chek that the ejb create and remove methods are also unchecked


          • 2. Re: Principal = null
            Marco Antonio Villalobos, Jr. Newbie

            Here are the relevant ejb-jar.xml tags:



            The code that looks up the web service looks like this:

            private AddEventEndPoint getEndpoint() throws MalformedURLException, ServiceException
             if (endpoint==null)
             URL url = new URL(WEB_SERVICE);
             QName qname = new QName(NAMESPACE_URI,LOCAL_PART);
             ServiceFactory factory = ServiceFactory.newInstance();
             Service service = factory.createService(url,qname);
             endpoint = (AddEventEndPoint)service.getPort(AddEventEndPoint.class);
             return endpoint;
            public boolean execute() throws MalformedURLException, ServiceException, RemoteException
             return getEndpoint().addEvent(host, task, pid, severity, message, time);

            • 3. Re: Principal = null
              Thomas Diesler Master

              Even if the EJB is declared as unchecked JBossSX still requires a valid principal. Most login modules support the 'unauthenticatedIdentity' option.

               <application-policy name="JBossWS">
               <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
               <module-option name="unauthenticatedIdentity">anonymous</module-option>

              • 4. Re: Principal = null
                Marco Antonio Villalobos, Jr. Newbie

                This raises many more questions.


                I am using a custom security domain, how come it never gets called when I attempt to invoke this web service? Is this in anyway affected by the fact that I am calling this endpoint from a non-J2EE environement, as shown in the JBoss 4.0.0. Getting Started documentation? I never tested that web services example, but now I am beginning to wonder if it works.


                Is there an actual application policy named JBossWS that I must set? Or is JBossWS just a a place-holder for my custom application policy that I am using.

                <application-policy name="JBossWS">


                Will I need to modify the jboss.net and jboss.net-uddi aplication policies, or are those legacy configurations from jboss 3.2.X ?


                How do I insure that my non-J2EE Java Client gets passed through the authentication mechanisms(application policies in the login-config.xml)? I really am trying to setup a simple web services example with my stateless session bean, as shown in the Getting Started Documentation.

                • 5. Re: Principal = null
                  Jason Greene Master

                  ONE & TWO & THREE)
                  You can use any policy, JBossWS will just use whatever policy your EJBs are using. Just set your <security-domain> in your jboss.xml to your custom configuration. You may have to add the unauthenticated identity as before to your custom config

                  Yesterday I updated the wiki to show how to configure HTTP Basic and SSL authorization. See WSSecureEndpoint. Use this for non JBoss clients


                  • 6. Re: Principal = null
                    Marco Antonio Villalobos, Jr. Newbie

                    I want to thank everybody who helped. I resolved the issues at hand.
                    It goes without saying, all the problems were my fault.

                    I'll go over what fixed it.

                    ONE) I was accessing my web service through IntelliJ's Application Run feature. When I did that, well, for some odd reason authentication wouldn't be called. I still don't know why. When I access my webservice via JDK 1.4 and ANT, it all works fine.

                    TW0) My custom login module did handle the situation of username==null and password==null. I looked at the code for org.jboss.security.auth.spi.UsernamePasswordLoginModule for a nice example of how to implement that feature into my login module.

                    Once more, thank you everybody.