[jboss-user] [JBoss Web Services] - EJB3 JBossWS Authentication in 5.1.0 GA not working
Judes Tumuhairwe
do-not-reply at jboss.com
Tue Oct 12 01:36:32 EDT 2010
Judes Tumuhairwe [http://community.jboss.org/people/tumuhairwe] created the discussion
"EJB3 JBossWS Authentication in 5.1.0 GA not working"
To view the discussion, visit: http://community.jboss.org/message/565984#565984
--------------------------------------------------------------
Hi
I've read this [1] and [2] and [3] and a whole bunch of others (including the JBoss In Action book) and they all say the same thing:
1. Configure a data-source (*-ds.xml file)
2. Define a domain (conf/login-config.xml)
3. Tell the app about it:
a. put the <security-domain> in jboss-web.xml and in the
b. META-INF/jboss.xml
c. add a security constraint in web.xml
4. Annotate the EJB/Web-service with the security annotations (@SecurityDomain, @WebContext and @RolesAllowed in addition to @Stateless and @Webservice)
5. build, package & deploy as an ear
6. Add the values to the request-context map of the BindingProvider when calling...and everything should work.
But nothing is working for me i.e. I keep getting a 401 error (Unauthorized). (I've been struggling with this for days now) Question is can anyone see what I'm doing wrong.
Environment: Java version: 1.5.0_22, JBoss 5.1.0 GA, JBoss Web Services - Stack Native Core (3.1.2.GA)
conf/login-config.xml (fragment)
[still gives a HTTP 401 even if I use the default JBossWS]
The datasource (I've verified that this works)
jboss-web.xml (the article [1] says its only for POJO's but it doesn't make a difference if I remove the <security-domain> tag)
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<class-loading java2ClassLoadingCompliance="false">
<loader-repository>
<loader-repository-config>
java2ParentDelegation=false
</loader-repository-config>
</loader-repository>
</class-loading>
<context-root>/verifiq</context-root>
<security-domain flushOnSessionInvalidation="false">verifiq-domain</security-domain>
</jboss-web>
jboss.xml (in the ejb jar's META-INF) Same as above i.e. doesn't make a difference if I uncomment.
<?xml version="1.0" encoding="UTF-8"?>
<jboss>
<security-domain>verifiq-domain</security-domain>
<!--
<webservices>
<context-root>/service</context-root>
</webservices>
<enterprise-beans>
<session>
<ejb-name>ExpulsionStatusBean</ejb-name>
<jndi-name>ExpulsionStatusBean</jndi-name>
<security-domain>verifiq-domain</security-domain>
<port-component>
<port-component-name>ExplusionStatusServicePort</port-component-name>
<port-component-uri>/ExplusionStatusBeanPort</port-component-uri>
<auth-method>BASIC</auth-method>
<transport-guarantee>NONE</transport-guarantee>
<secure-wsdl-access>false</secure-wsdl-access>
</port-component>
-->
<!--
<resource-ref>
<res-ref-name>jdbc/postgresql</res-ref-name>
<jndi-name>java:/VerifiqDS</jndi-name>
</resource-ref>
-->
<!--
<clustered>true</clustered>
<cluster-config>
<partition-name>DefaultPartition</partition-name>
<load-balance-policy>org.jboss.ha.framework.interfaces.RandomRobin</load-balance-policy>
</cluster-config>
-->
<!--
</session>
</enterprise-beans>
-->
</jboss>
ExpulsionStatusBean.java [intentionally skipped the contextRoot in @WebContext because:
1. it puts the context (e.g. /service) outside the app's (/verifiq) i.e. security-constraint definitions in web.xml become useless since we now have localhost:8080/services and localhost:8080/verifiq.
2. It applies that service to all the web-services in that ejb jar (even though I've explicitly asked for a different contextRoot on another web-service)
Either way, even when I access them at a different location /services/serviceName?wsdl the result is the same i.e. HTTP 401]
@Stateless
@WebService
@Local(ExplusionStatusService.class)
@SecurityDomain(value="JBossWS")
@RolesAllowed("friend")
@WebContext(authMethod="BASIC", transportGuarantee="NONE", secureWSDLAccess=false)
public class ExplusionStatusBean implements ExplusionStatusService, Serializable {
@Resource
private SessionContext context;
@WebMethod
public String expell(@WebParam(name="person") Person person) {
String retVal = "Expelling " + person.getSchoolAssignedID();
System.out.println("ExplusionStatusBean.expell(): invoked");
System.out.println("ExplusionStatusBean.expell(): Student: " + person);
System.out.println("ExplusionStatusBean.expell(): caller: " + context.getCallerPrincipal());
System.out.println("ExplusionStatusBean.expell(): returning " + retVal);
return retVal;
}
}
Expeller.java (snipped just main() )
public static void main(String[] args) {
try {
log.info("Constructing...");
ExplusionStatusBeanService esb = new ExplusionStatusBeanService(new URL("http://127.0.0.1:8080/verifiq-verifiq-ejb/ExplusionStatusBean?wsdl"));
ExplusionStatusBean service = esb.getExplusionStatusBeanPort();
log.info("Computing password");
String password = "thefrog";
//password = DigestUtils.md5Hex(password);
//String pass =
log.info("Setting authentication info");
//BindingProvider bp = (BindingProvider)service;
//Map<String, Object> authentication = bp.getRequestContext();
((BindingProvider)service).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "kermit");
((BindingProvider)service).getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, password);
System.out.println("Using username kermit and password=" + password);
log.info("Invoking...");
Person person = getJudes(); // Person is just a regular JPA pojo (mapped) (with name & schoolId)
String response = service.expell(person);
log.info("Response receieved successfully! " + response);
} catch (Exception ex) {
ex.printStackTrace();
log.log(Level.SEVERE, null, ex);
}
}
server.log
(I'm 100% certain the user kermit->thefrog exists in both the props/jbossws-*.properties file (when I use the default JBossWS) and in the database.)
2010-10-12 01:09:07,797 DEBUG org.jboss.security.auth.spi.DatabaseServerLoginModule org.jboss.security.auth.spi.DatabaseServerLoginModule (http-127.0.0.1-8080-1) Bad password for username=kermit
2010-10-12 01:09:07,797 DEBUG org.jboss.security.auth.spi.DatabaseServerLoginModule org.jboss.security.auth.spi.DatabaseServerLoginModule (http-127.0.0.1-8080-1) Bad password for username=kermit
Like I said, I'm 100% certain the kermit exists & has the role 'friend' (see attached screenshot)
Is there anything I'm missing?
web.xml (supposedly for POJOs only but I've included a snippet anyway. Doesn't matter if I comment or uncomment it out. Same result "Bad password" error)
<security-constraint>
<web-resource-collection>
<web-resource-name>All webservices</web-resource-name>
<description>Protects all webservices</description>
<url-pattern>/service</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admissions-viewer</role-name>
<role-name>friend</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admissions-viewer</role-name>
</security-role>
<security-role>
<role-name>friend</role-name>
</security-role>
<security-role>
<role-name>admissions-manager</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Verifiq Webservices Realm</realm-name>
</login-config>
I've gone over it countless times & I'm just frustrated. It really shouldn't be that hard to get it to work...in theory :-)
Is there anything I'm missing?
TIA,
Judes Tumuhairwe
References:
[1] http://community.jboss.org/docs/DOC-13533 http://community.jboss.org/wiki/JBossWS-Authentication
[2] http://www.coderanch.com/t/477889/JBoss/Securing-Application-JBoss http://www.coderanch.com/t/477889/JBoss/Securing-Application-JBoss
[3] http://thatjavathing.blogspot.com/2009/05/authentication-and-authorization-with_30.html http://thatjavathing.blogspot.com/2009/05/authentication-and-authorization-with_30.html
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/565984#565984]
Start a new discussion in JBoss Web Services at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2044]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20101012/a0daa7c7/attachment-0001.html
More information about the jboss-user
mailing list