<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
        <table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
                <tbody>
                        <tr>
                                <td>
                                        <table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
                                                <tbody>
                                                        <tr>
                                                                <td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
                                                                        <h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
                                                                        <!-- To have a header image/logo replace the name below with your img tag -->
                                                                        <!-- Email clients will render the images when the message is read so any image -->
                                                                        <!-- must be made available on a public server, so that all recipients can load the image. -->
                                                                        <a href="https://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
                                                                </td>
                                                        </tr>
                                                        <tr>
                                                                <td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
JBoss not honoring @PermitAll - defect?
</h3>
<span style="margin-bottom: 10px;">
created by <a href="https://community.jboss.org/people/abhi0123">abhi0123</a> in <i>JBoss Web Services</i> - <a href="https://community.jboss.org/message/729514#729514">View the full discussion</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>I have an EJB3 WebService Endpoint secured using @DeclareRoles and @RolesAllowed. It is packaged as an war, with deployment descriptors jboss-ejb3.xml and jboss-webservices.xml. When I invoke a method marked @PermitAll from the standalone client, it fails with 401 response. The method invocation is successful when credentials are provided. Problem is, credentials should not be required for a method marked @PermitAll.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>I have intentionally omitted the handler code for brevity. If someone wants to see, I'll provide in a follow up post.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><strong>TimeService.java</strong></p><p><strong><br/></strong></p><pre class="jive-pre"><code class="jive-code">
@Stateless
@WebService(name = "Time", serviceName = "TimeService", portName = "TimeServicePort")
@HandlerChain(file = "handler-chain.xml")
@DeclareRoles({ "AppUser" })
public class TimeService {
  @WebMethod
  @PermitAll
          public Time getCurrentTime() {
                    return new Time();
          }
  /* HttpBasicAuthenticationHandler authenticates this request */
  @WebMethod
          public Time getCurrentTimeAfterHttpBasicAuthentication() {
                    return getCurrentTime();
          }
  @WebMethod
  @RolesAllowed("AppUser")
          public Time getCurrentTimeAfterDeclarativeRoleBasedAuthorization() {
                    return getCurrentTime();
          }
}
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><strong>handler-chain.xml </strong>(located in the same directory as the WebService Endpoint above)</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-xml">
<span class="jive-xml-tag"><?xml version="1.0" encoding="UTF-8" standalone="yes"?></span>
<span class="jive-xml-tag"><span><javaee:handler-chains xmlns:javaee="</span><a class="jive-link-external-small" href="http://java.sun.com/xml/ns/javaee" target="_blank">http://java.sun.com/xml/ns/javaee</a><span>"
  xmlns:xsd="</span><a class="jive-link-external-small" href="http://www.w3.org/2001/XMLSchema" target="_blank">http://www.w3.org/2001/XMLSchema</a><span>"></span></span>
  <span class="jive-xml-tag"><javaee:handler-chain></span>
  <span class="jive-xml-tag"><javaee:handler></span>
                              <span class="jive-xml-tag"><javaee:handler-class></span>edu.certification.abhijitsarkar.ocewsd.jaxws.utility.handler.SOAPRequestHandler
  <span class="jive-xml-tag"></javaee:handler-class></span>
  <span class="jive-xml-tag"></javaee:handler></span>
  <span class="jive-xml-tag"><javaee:handler></span>
                              <span class="jive-xml-tag"><javaee:handler-class></span>edu.certification.abhijitsarkar.ocewsd.jaxws.ejb.webservice.handler.HttpBasicAuthenticationHandler
  <span class="jive-xml-tag"></javaee:handler-class></span>
  <span class="jive-xml-tag"></javaee:handler></span>
  <span class="jive-xml-tag"><javaee:handler></span>
                              <span class="jive-xml-tag"><javaee:handler-class></span>edu.certification.abhijitsarkar.ocewsd.jaxws.ejb.webservice.handler.ProgrammaticAuthenticationHandler
  <span class="jive-xml-tag"></javaee:handler-class></span>
  <span class="jive-xml-tag"></javaee:handler></span>
  <span class="jive-xml-tag"></javaee:handler-chain></span>
<span class="jive-xml-tag"></javaee:handler-chains></span>
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><strong>jboss-ejb3.xml</strong></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-xml">
<span class="jive-xml-tag"><?xml version="1.1" encoding="UTF-8"?></span>
<span class="jive-xml-tag"><span><jboss:ejb-jar xmlns:jboss="</span><a class="jive-link-external-small" href="http://www.jboss.com/xml/ns/javaee" target="_blank">http://www.jboss.com/xml/ns/javaee</a><span>"
  xmlns="</span><a class="jive-link-external-small" href="http://java.sun.com/xml/ns/javaee" target="_blank">http://java.sun.com/xml/ns/javaee</a><span>" xmlns:xsi="</span><a class="jive-link-external-small" href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a><span>"
  xmlns:c="urn:clustering:1.0"
  xsi:schemaLocation="</span><a class="jive-link-external-small" href="http://www.jboss.com/xml/ns/javaee" target="_blank">http://www.jboss.com/xml/ns/javaee</a><span> </span><a class="jive-link-external-small" href="http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd" target="_blank">http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd</a><span> </span><a class="jive-link-external-small" href="http://java.sun.com/xml/ns/javaee" target="_blank">http://java.sun.com/xml/ns/javaee</a><span> </span><a class="jive-link-external-small" href="http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd" target="_blank">http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd</a><span>"
  version="3.1" impl-version="2.0"></span></span>
  <span class="jive-xml-tag"><span><assembly-descriptor xmlns="</span><a class="jive-link-external-small" href="http://java.sun.com/xml/ns/javaee" target="_blank">http://java.sun.com/xml/ns/javaee</a><span>"></span></span>
  <span class="jive-xml-tag"><security:security xmlns:security="urn:security"></span>
  <span class="jive-xml-comment"><!-- domain name set up in JBoss $JBOSS_HOME/standalone/configuration/standalone.xml --></span>
  <span class="jive-xml-tag"><security:security-domain></span>other<span class="jive-xml-tag"></security:security-domain></span>
  <span class="jive-xml-tag"><ejb-name></span>TimeService<span class="jive-xml-tag"></ejb-name></span>
  <span class="jive-xml-tag"></security:security></span>
  <span class="jive-xml-tag"></assembly-descriptor></span>
<span class="jive-xml-tag"></jboss:ejb-jar></span>
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><strong>jboss-webservices.xml</strong></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-xml">
<span class="jive-xml-tag"><span><webservices xmlns="</span><a class="jive-link-external-small" href="http://www.jboss.com/xml/ns/javaee" target="_blank">http://www.jboss.com/xml/ns/javaee</a><span>"
  xmlns:xsi="</span><a class="jive-link-external-small" href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a><span>" version="1.0"
  xsi:schemaLocation="</span><a class="jive-link-external-small" href="http://www.jboss.com/xml/ns/javaee" target="_blank">http://www.jboss.com/xml/ns/javaee</a><span> </span><a class="jive-link-external-small" href="http://www.jboss.org/j2ee/schema/jboss_webservices_1_0.xsd" target="_blank">http://www.jboss.org/j2ee/schema/jboss_webservices_1_0.xsd</a><span>"></span></span>
  <span class="jive-xml-tag"><context-root></span>/jaxws-ejb-1.0<span class="jive-xml-tag"></context-root></span>
  <span class="jive-xml-tag"><port-component></span>
  <span class="jive-xml-tag"><ejb-name></span>TimeService<span class="jive-xml-tag"></ejb-name></span>
  <span class="jive-xml-tag"><port-component-uri></span>/TimeService<span class="jive-xml-tag"></port-component-uri></span>
  <span class="jive-xml-tag"><auth-method></span>BASIC<span class="jive-xml-tag"></auth-method></span>
  <span class="jive-xml-tag"><transport-guarantee></span>NONE<span class="jive-xml-tag"></transport-guarantee></span>
  <span class="jive-xml-tag"><secure-wsdl-access></span>false<span class="jive-xml-tag"></secure-wsdl-access></span>
  <span class="jive-xml-tag"></port-component></span>
<span class="jive-xml-tag"></webservices></span>
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><strong>Client.java</strong></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code">
public class Client {
          public Time_Type getCurrentTime(String soapAction) {
                    Time time = getPort();
                    BindingProvider bp = (BindingProvider) time;
                    // commenting out the credentials throws following error
                        // bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "abc");
                    // bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY,
  "abhijitsarkar");
                    setSoapAction(soapAction, bp);
                    return time.getCurrentTime();
          }
}
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><strong>Stacktrace</strong></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code">
com.sun.xml.ws.client.ClientTransportException: The server sent HTTP status code 401: Unauthorized
          at com.sun.xml.ws.transport.http.client.HttpTransportPipe.checkStatusCode(HttpTransportPipe.java:321)
          at com.sun.xml.ws.transport.http.client.HttpTransportPipe.createResponsePacket(HttpTransportPipe.java:270)
          at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:228)
          at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:143)
          at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:110)
          at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
          at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
          at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
          at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)
          at com.sun.xml.ws.client.Stub.process(Stub.java:429)
          at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:168)
          at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
          at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:102)
          at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151)
          at $Proxy30.getCurrentTime(Unknown Source)
          at edu.certification.abhijitsarkar.ocewsd.jaxws.ejb.webservice.client.Client.getCurrentTime(Client.java:29)
          at edu.certification.abhijitsarkar.ocewsd.jaxws.ejb.webservice.client.ClientTest.testGetCurrentTime(ClientTest.java:17)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:597)
          at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:45)
          at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)
          at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:42)
          at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20)
          at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:263)
          at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:68)
          at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:47)
          at org.junit.runners.ParentRunner$3.run(ParentRunner.java:231)
          at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:60)
          at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:229)
          at org.junit.runners.ParentRunner.access$000(ParentRunner.java:50)
          at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:222)
          at org.junit.runners.ParentRunner.run(ParentRunner.java:300)
          at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
          at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
          at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
          at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
          at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
          at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><strong>application-users.properties</strong></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Abhijit$ tail -5 application-users.properties </p><ol><li level="1" type="ol"><p>is for illustration only and does not correspond to a usable password.</p></li></ol><p>#</p><p>#admin=2a0923285184943425d1f53ddd58ec7a</p><p>user=8544a03c79aee5b1c99458d83ee0f9e0</p><p>guest=1bb6b7c18b5c1dab17f5141fa398905a</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><strong>application-roles.properties</strong></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Abhijit$ tail -5 application-roles.properties </p><p>#</p><p>#admin=PowerUser,BillingAdmin,</p><p>#guest=guest</p><p>user=AppUser</p><p>guest=AppGuest</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Reply to this message by <a href="https://community.jboss.org/message/729514#729514">going to Community</a></p>
        <p style="margin: 0;">Start a new discussion in JBoss Web Services at <a href="https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2044">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>