[jbossws-issues] [JBoss JIRA] Commented: (JBWS-2535) Multiple security domain check is too overzealous

Zoltan Kiss (JIRA) jira-events at lists.jboss.org
Fri Jan 22 08:48:19 EST 2010 

    [ https://jira.jboss.org/jira/browse/JBWS-2535?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12507727#action_12507727 ] 

Zoltan Kiss commented on JBWS-2535:
-----------------------------------

I figured out that the problem is, that how many EJB/WS do you have in the same deployment. If multiple, than all of them must share the same SecurityDomain, even if one (or more of them) is not protected.
Eg. if you have SecuredBean and UnsecuredBean which are SLSBs and WSs too, then you have to annotate both of them with SecurityDomain, but only SecureBean have to annotated with WebContext:

---
@Stateless
@WebService(endpointInterface = "test.SecuredBeanLocal") 
@SecurityDomain("TestDomain") 
@WebContext(authMethod = "BASIC") 
public class SecuredBean implements SecuredBeanLocal { 

    @javax.annotation.Resource 
    private SessionContext ctx; 

    @WebMethod(operationName="sayHello")
    public String sayHello(String param1) { 
        return "Hello " + param1 + ": " + ctx.getCallerPrincipal().getName(); 
    } 

} 

---

@Stateless
@WebService(endpointInterface = "test.unsecuredBeanLocal") 
@SecurityDomain("TestDomain") 
public class UnsecuredBean implements UnsecuredBeanLocal { 

    @WebMethod(operationName="sayHello")
    public String sayHello(String param1) { 
        return "Hello " + param1; 
    } 

} 

---

If you ommit the @SecurityDomain annotation on the second Bean then you will receive the error, because JBossWS wants to link both endpoint (which are in the same web context) to the same domain; and omitting the @SecurityDomain means that JBoss wants to use the deafult "other" config, but the other TestDomain was already linked.

> Multiple security domain check is too overzealous
> -------------------------------------------------
>
>                 Key: JBWS-2535
>                 URL: https://jira.jboss.org/jira/browse/JBWS-2535
>             Project: JBoss Web Services
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: jbossws-integration
>         Environment: Not sure about components or versions. It's definitely happening in AS 5.0.0.GA.
>            Reporter: Galder Zamarreno
>            Assignee: Darran Lofthouse
>
> If you mix up EJB3 SLSBs without security domains and SLSBs with SecurityDomain("other"), and 
> you add an EJB3 WS endpoint to the deployment archive, the deployment would fail with an exception
> similar to this:
>       Caused by: java.lang.IllegalStateException: Multiple security domains not supported
>               at org.jboss.wsf.container.jboss50.deployment.tomcat.SecurityHandlerEJB3.addSecurityDomain(SecurityHandlerEJB3.java:58)
>               at org.jboss.wsf.container.jboss50.transport.WebAppGenerator.createJBossWebAppDescriptor(WebAppGenerator.java:268)
>               at org.jboss.wsf.container.jboss50.transport.WebAppGenerator.generatWebDeployment(WebAppGenerator.java:101)
>               at org.jboss.wsf.container.jboss50.transport.WebAppGenerator.create(WebAppGenerator.java:85)
>               at org.jboss.wsf.container.jboss50.transport.EJBHttpTransportManager.createListener(EJBHttpTransportManager.java:78)
>               at org.jboss.wsf.framework.deployment.HttpTransportDeploymentAspect.create(HttpTransportDeploymentAspect.java:76)
>               at org.jboss.wsf.framework.deployment.DeploymentAspectManagerImpl.create(DeploymentAspectManagerImpl.java:121)
>               at org.jboss.wsf.container.jboss50.BareWSFRuntime.create(BareWSFRuntime.java:61)
>               at org.jboss.wsf.container.jboss50.deployer.ArchiveDeployerHook.deploy(ArchiveDeployerHook.java:84)
>               at org.jboss.wsf.container.jboss50.deployer.AbstractDeployerHookEJB.deploy(AbstractDeployerHookEJB.java:43)
>               at org.jboss.wsf.container.jboss50.deployer.AbstractWebServiceDeployer.internalDeploy(AbstractWebServiceDeployer.java:60)
>               at org.jboss.wsf.container.jboss50.deployer.WebServiceDeployerEJB.internalDeploy(WebServiceDeployerEJB.java:112)
>               at org.jboss.deployers.spi.deployer.helpers.AbstractRealDeployer.deploy(AbstractRealDeployer.java:50)
>               at org.jboss.deployers.plugins.deployers.DeployerWrapper.deploy(DeployerWrapper.java:171)
>               ... 18 more 
> The validation seems to be a bit too overzealous. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jbossws-issues mailing list