[jboss-user] [JBoss Web Services] - JBoss not honoring @PermitAll - defect?

abhi0123 do-not-reply at jboss.com
Thu Apr 12 00:17:27 EDT 2012 

abhi0123 [https://community.jboss.org/people/abhi0123] created the discussion

"JBoss not honoring @PermitAll - defect?"

To view the discussion, visit: https://community.jboss.org/message/729514#729514

--------------------------------------------------------------
I have an EJB3 WebService Endpoint secured using @DeclareRoles and @RolesAllowed. It is packaged as an war, with deployment descriptors jboss-ejb3.xml and jboss-webservices.xml. When I invoke a method marked @PermitAll from the standalone client, it fails with 401 response. The method invocation is successful when credentials are provided. Problem is, credentials should not be required for a method marked @PermitAll.

I have intentionally omitted the handler code for brevity. If someone wants to see, I'll provide in a follow up post.

*TimeService.java*
*
*

@Stateless
@WebService(name = "Time", serviceName = "TimeService", portName = "TimeServicePort")
@HandlerChain(file = "handler-chain.xml")
@DeclareRoles({ "AppUser" })
public class TimeService {

  @WebMethod
  @PermitAll
          public Time getCurrentTime() {
                    return new Time();
          }

  /* HttpBasicAuthenticationHandler authenticates this request */
  @WebMethod
          public Time getCurrentTimeAfterHttpBasicAuthentication() {
                    return getCurrentTime();
          }

  @WebMethod
  @RolesAllowed("AppUser")
          public Time getCurrentTimeAfterDeclarativeRoleBasedAuthorization() {
                    return getCurrentTime();
          }
}




*handler-chain.xml* (located in the same directory as the WebService Endpoint above)


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<javaee:handler-chains xmlns:javaee="http://java.sun.com/xml/ns/javaee"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <javaee:handler-chain>
  <javaee:handler>
                              <javaee:handler-class>edu.certification.abhijitsarkar.ocewsd.jaxws.utility.handler.SOAPRequestHandler
  </javaee:handler-class>
  </javaee:handler>
  <javaee:handler>
                              <javaee:handler-class>edu.certification.abhijitsarkar.ocewsd.jaxws.ejb.webservice.handler.HttpBasicAuthenticationHandler
  </javaee:handler-class>
  </javaee:handler>
  <javaee:handler>
                              <javaee:handler-class>edu.certification.abhijitsarkar.ocewsd.jaxws.ejb.webservice.handler.ProgrammaticAuthenticationHandler
  </javaee:handler-class>
  </javaee:handler>
  </javaee:handler-chain>
</javaee:handler-chains>



*jboss-ejb3.xml*


<?xml version="1.1" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
  xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:c="urn:clustering:1.0"
  xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"
  version="3.1" impl-version="2.0">
  <assembly-descriptor xmlns="http://java.sun.com/xml/ns/javaee">
  <security:security xmlns:security="urn:security">
  <!-- domain name set up in JBoss $JBOSS_HOME/standalone/configuration/standalone.xml -->
  <security:security-domain>other</security:security-domain>
  <ejb-name>TimeService</ejb-name>
  </security:security>
  </assembly-descriptor>
</jboss:ejb-jar>



*jboss-webservices.xml*


<webservices xmlns="http://www.jboss.com/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.0"
  xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss_webservices_1_0.xsd">
  <context-root>/jaxws-ejb-1.0</context-root>
  <port-component>
  <ejb-name>TimeService</ejb-name>
  <port-component-uri>/TimeService</port-component-uri>
  <auth-method>BASIC</auth-method>
  <transport-guarantee>NONE</transport-guarantee>
  <secure-wsdl-access>false</secure-wsdl-access>
  </port-component>
</webservices>



*Client.java*


public class Client {

          public Time_Type getCurrentTime(String soapAction) {
                    Time time = getPort();
                    BindingProvider bp = (BindingProvider) time;
                    // commenting out the credentials throws following error
                        // bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "abc");
                    // bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY,
  "abhijitsarkar");
                    setSoapAction(soapAction, bp);
                    return time.getCurrentTime();
          }
}



*Stacktrace*


com.sun.xml.ws.client.ClientTransportException: The server sent HTTP status code 401: Unauthorized
          at com.sun.xml.ws.transport.http.client.HttpTransportPipe.checkStatusCode(HttpTransportPipe.java:321)
          at com.sun.xml.ws.transport.http.client.HttpTransportPipe.createResponsePacket(HttpTransportPipe.java:270)
          at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:228)
          at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:143)
          at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:110)
          at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
          at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
          at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
          at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)
          at com.sun.xml.ws.client.Stub.process(Stub.java:429)
          at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:168)
          at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
          at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:102)
          at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151)
          at $Proxy30.getCurrentTime(Unknown Source)
          at edu.certification.abhijitsarkar.ocewsd.jaxws.ejb.webservice.client.Client.getCurrentTime(Client.java:29)
          at edu.certification.abhijitsarkar.ocewsd.jaxws.ejb.webservice.client.ClientTest.testGetCurrentTime(ClientTest.java:17)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:597)
          at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:45)
          at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)
          at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:42)
          at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20)
          at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:263)
          at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:68)
          at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:47)
          at org.junit.runners.ParentRunner$3.run(ParentRunner.java:231)
          at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:60)
          at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:229)
          at org.junit.runners.ParentRunner.access$000(ParentRunner.java:50)
          at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:222)
          at org.junit.runners.ParentRunner.run(ParentRunner.java:300)
          at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
          at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
          at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
          at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
          at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
          at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)



*application-users.properties*

Abhijit$ tail -5 application-users.properties 
1. is for illustration only and does not correspond to a usable password.
#
#admin=2a0923285184943425d1f53ddd58ec7a
user=8544a03c79aee5b1c99458d83ee0f9e0
guest=1bb6b7c18b5c1dab17f5141fa398905a



*application-roles.properties*

Abhijit$ tail -5 application-roles.properties 
#
#admin=PowerUser,BillingAdmin,
#guest=guest
user=AppUser
guest=AppGuest
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/729514#729514]

Start a new discussion in JBoss Web Services at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2044]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20120412/2c958b96/attachment-0001.html

More information about the jboss-user mailing list