[jbossws-issues] [JBoss JIRA] (JBWS-3378) Both JAXWS & JAXRPC handlers have to be executed in EJB interceptor after EJB security interceptors

Thu Nov 3 06:34:45 EDT 2011

    [ https://issues.jboss.org/browse/JBWS-3378?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12639617#comment-12639617 ] 

Richard Opalka commented on JBWS-3378:
--------------------------------------

<carlo> ropalka: pong
<ropalka> carlo, I've got EJB related question
<ropalka> carlo, I'm finalizing JAXRPC EJB integration and
<ropalka> carlo, I'm working on JAXRPC server side handlers now
<ropalka> carlo, the requirements for JAXRPC EJB interceptors are:
<ropalka> ---
<ropalka>  * According to the ws4ee spec the handler logic must be invoked after the container
<ropalka>  * applied method level security to the invocation.
<ropalka> ---
<ropalka> carlo, where should I hook?
<ropalka> carlo, I see ComponentDescription have classLevelInterceptors and methodInterceptors
<ropalka> carlo, methodInterceptors seems more appropriate to me
<carlo> you should invoke through the service point view
<ropalka> carlo, this is what I have ATM - https://github.com/ropalka/jboss-as/blob/jaxrpc-ejb/webservices/server-integration/src/main/java/org/jboss/as/webservices/deployers/WSIntegrationProcessorJAXRPC_EJB.java
<ropalka> carlo, and invocations on JAXRPC EJB endpoints are working for me
<ropalka> carlo, newEjbEndpoint() interests U
<carlo> right, that should give you a ComponentView at the end of the day (as in InvocationHandlerEJB3)
<ropalka> carlo, and this is our EJB invocation abstraction - https://github.com/ropalka/jboss-as/blob/jaxrpc-ejb/webservices/server-integration/src/main/java/org/jboss/as/webservices/invocation/AbstractInvocationHandlerEJB.java
<carlo> right
<carlo> hmm, you need to explain a bit more about handlers
<carlo> the handler logic is the user supplied EJB, not?
<carlo> ropalka: ^
<ropalka> carlo, handler is XML processing handler
<ropalka> carlo, that is configured in webservices.xml
<carlo> ah, a kind of interceptor?
<ropalka> carlo, http://fpaste.org/K9h3/
<ropalka> carlo, yep
<carlo> ropalka: interesting, how did we do it in AS5/6?
<ropalka> carlo, a second ...
<ropalka> carlo, Our old invocation handler - http://fpaste.org/w14B/
<ropalka> carlo, Our old handler interceptor - http://fpaste.org/k7F6/
<carlo> ropalka: and the EJB 3.1 variant?
<ropalka> carlo, it was completely different - http://fpaste.org/AGsk/
<carlo> ropalka: in other words the EJB 3.1 was not compliant?
<carlo> I don't see security before handlers
<ropalka> carlo, neither I
<ropalka> carlo, I need to check JAXWS spec, but I think U'll be right. The requirement will be the same 
* ropalka 's checking JAXWS spec.
<carlo> doesn't RPC/WS specify its own security? the quoted bit doesn't really say whether it pertains EJB security constraints.
<ropalka> carlo, JSR 109 - Chapter 6.2.2.4 Security - 
<ropalka> ---
<ropalka> Handlers associated with a Port component run after authorization has occurred and before the business logic
<ropalka> method of the Service Implementation bean is dispatched to. For JAX-RPC or JAX-WS Service endpoints,
<ropalka> Handlers run after the container has performed the security constraint checks associated with the servlet
<ropalka> element that defines the Port component. For EJB based service implementations, Handlers run after method
<ropalka> level authorization has occurred.
<ropalka> ---
<ropalka> carlo, version 1.3 of JSR 109 (for clarification)
<carlo> interesting indeed
<ropalka> carlo, IOW U're right our old EJB3 inv. handler is bypassing this requirement :(
<ropalka> carlo, complete chapter text - http://fpaste.org/ovb9/
<carlo> just downloaded the jsr
<ropalka> :)
<carlo> ropalka: probably the EJB 2.1 construct makes the most sense. Insert an interceptor at a certain point.
<carlo> which is easier to do in AS7 :-)
<ropalka> carlo, yes, I agree
<ropalka> carlo, :D
<ropalka> carlo, so where/how to hook?
* ropalka 's waiting for suggestions ...
<carlo> EJBViewDescription.getConfigurators().add(new DoTheHandlersConfigurator() { ... } );
* ropalka created JBWS-3378 
<jbossbot> jira [JBWS-3378] Both JAXWS & JAXRPC handlers have to be executed in EJB interceptor after EJB security interceptors [Open (Unresolved) Sub-task, Major, Richard Opalka] https://issues.jboss.org/browse/JBWS-3378
<carlo> configure(...) { configuration.addViewInterceptor(DoHandlersInterceptors ...) }
<carlo> Then you can do anything in the DoHandlersInterceptor
<carlo> ropalka: %
<ropalka> carlo, thanks Carlo!
<carlo> I hate a German keyboard
<ropalka> :)

> Both JAXWS & JAXRPC handlers have to be executed in EJB interceptor after EJB security interceptors
> ---------------------------------------------------------------------------------------------------
>
>                 Key: JBWS-3378
>                 URL: https://issues.jboss.org/browse/JBWS-3378
>             Project: JBoss Web Services
>          Issue Type: Sub-task
>      Security Level: Public(Everyone can see) 
>            Reporter: Richard Opalka
>            Assignee: Richard Opalka
>             Fix For: jbossws-native-4.0,  jbossws-cxf-4.0
>
>
> JSR 109 - Version 1.3 - Chapter 6.2.2.4 Security
>  
> Handlers associated with a Port component run after authorization has occurred and before the business logic
> method of the Service Implementation bean is dispatched to. For JAX-RPC or JAX-WS Service endpoints,
> Handlers run after the container has performed the security constraint checks associated with the servlet
> element that defines the Port component. For EJB based service implementations, Handlers run after method
> level authorization has occurred.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira