Judes Tumuhairwe [http://community.jboss.org/people/tumuhairwe] created the discussion "EJB3 JBossWS Authentication in 5.1.0 GA not working" To view the discussion, visit: http://community.jboss.org/message/565984#565984 -------------------------------------------------------------- Hi I've read this [1] and [2] and [3] and a whole bunch of others (including the JBoss In Action book) and they all say the same thing: 1. Configure a data-source (*-ds.xml file) 2. Define a domain (conf/login-config.xml) 3. Tell the app about it:     a. put the <security-domain> in jboss-web.xml and in the     b. META-INF/jboss.xml     c. add a security constraint in web.xml 4. Annotate the EJB/Web-service with the security annotations (@SecurityDomain, @WebContext and @RolesAllowed in addition to @Stateless and @Webservice) 5. build, package & deploy as an ear 6. Add the values to the request-context map of the BindingProvider when calling...and everything should work. But nothing is working for me i.e. I keep getting a 401 error (Unauthorized). (I've been struggling with this for days now) Question is can anyone see what I'm doing wrong. Environment: Java version: 1.5.0_22, JBoss 5.1.0 GA, JBoss Web Services - Stack Native Core (3.1.2.GA) conf/login-config.xml (fragment) [still gives a HTTP 401 even if I use the default JBossWS] The datasource (I've verified that this works) jboss-web.xml (the article [1] says its only for POJO's but it doesn't make a difference if I remove the <security-domain> tag) <?xml version="1.0" encoding="UTF-8"?> <jboss-web>     <class-loading java2ClassLoadingCompliance="false">         <loader-repository>             <loader-repository-config>                 java2ParentDelegation=false             </loader-repository-config>         </loader-repository>     </class-loading>     <context-root>/verifiq</context-root>         <security-domain flushOnSessionInvalidation="false">verifiq-domain</security-domain> </jboss-web> jboss.xml (in the ejb jar's META-INF) Same as above i.e. doesn't make a difference if I uncomment. <?xml version="1.0" encoding="UTF-8"?> <jboss>     <security-domain>verifiq-domain</security-domain>         <!--     <webservices>         <context-root>/service</context-root>     </webservices>     <enterprise-beans>       <session>           <ejb-name>ExpulsionStatusBean</ejb-name>           <jndi-name>ExpulsionStatusBean</jndi-name>           <security-domain>verifiq-domain</security-domain>           <port-component>               <port-component-name>ExplusionStatusServicePort</port-component-name>               <port-component-uri>/ExplusionStatusBeanPort</port-component-uri>               <auth-method>BASIC</auth-method>               <transport-guarantee>NONE</transport-guarantee>               <secure-wsdl-access>false</secure-wsdl-access>           </port-component>           -->           <!--           <resource-ref>               <res-ref-name>jdbc/postgresql</res-ref-name>               <jndi-name>java:/VerifiqDS</jndi-name>           </resource-ref>           -->           <!--           <clustered>true</clustered>           <cluster-config>               <partition-name>DefaultPartition</partition-name>               <load-balance-policy>org.jboss.ha.framework.interfaces.RandomRobin</load-balance-policy>            </cluster-config>            -->            <!--         </session>      </enterprise-beans>      --> </jboss> ExpulsionStatusBean.java [intentionally skipped the contextRoot in @WebContext because: 1. it puts the context (e.g. /service) outside the app's (/verifiq) i.e. security-constraint definitions in web.xml become useless since we now have localhost:8080/services and localhost:8080/verifiq. 2. It applies that service to all the web-services in that ejb jar (even though I've explicitly asked for a different contextRoot on another web-service) Either way, even when I access them at a different location /services/serviceName?wsdl the result is the same i.e. HTTP 401] @Stateless @WebService @Local(ExplusionStatusService.class) @SecurityDomain(value="JBossWS") @RolesAllowed("friend") @WebContext(authMethod="BASIC", transportGuarantee="NONE", secureWSDLAccess=false) public class ExplusionStatusBean implements ExplusionStatusService, Serializable {       @Resource     private SessionContext context;       @WebMethod     public String expell(@WebParam(name="person") Person person) {         String retVal = "Expelling " + person.getSchoolAssignedID();         System.out.println("ExplusionStatusBean.expell(): invoked");         System.out.println("ExplusionStatusBean.expell(): Student: " + person);         System.out.println("ExplusionStatusBean.expell(): caller: " + context.getCallerPrincipal());         System.out.println("ExplusionStatusBean.expell(): returning " + retVal);         return retVal;     } } Expeller.java (snipped just main() ) public static void main(String[] args) {         try {             log.info("Constructing...");             ExplusionStatusBeanService esb = new ExplusionStatusBeanService(new URL("http://127.0.0.1:8080/verifiq-verifiq-ejb/ExplusionStatusBean?wsdl"));             ExplusionStatusBean service = esb.getExplusionStatusBeanPort();                         log.info("Computing password");             String password = "thefrog";             //password = DigestUtils.md5Hex(password);                         //String pass =             log.info("Setting authentication info");             //BindingProvider bp = (BindingProvider)service;             //Map<String, Object> authentication = bp.getRequestContext();             ((BindingProvider)service).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "kermit");             ((BindingProvider)service).getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, password);             System.out.println("Using username kermit and password=" + password);               log.info("Invoking...");             Person person = getJudes();     // Person is just a regular JPA pojo (mapped) (with name & schoolId)             String response = service.expell(person);             log.info("Response receieved successfully! " + response);           } catch (Exception ex) {             ex.printStackTrace();             log.log(Level.SEVERE, null, ex);         }     } server.log (I'm 100% certain the user kermit->thefrog exists in both the props/jbossws-*.properties file (when I use the default JBossWS) and in the database.) 2010-10-12 01:09:07,797 DEBUG org.jboss.security.auth.spi.DatabaseServerLoginModule org.jboss.security.auth.spi.DatabaseServerLoginModule (http-127.0.0.1-8080-1) Bad password for username=kermit 2010-10-12 01:09:07,797 DEBUG org.jboss.security.auth.spi.DatabaseServerLoginModule org.jboss.security.auth.spi.DatabaseServerLoginModule (http-127.0.0.1-8080-1) Bad password for username=kermit Like I said, I'm 100% certain the kermit exists & has the role 'friend' (see attached screenshot) Is there anything I'm missing? web.xml (supposedly for POJOs only but I've included a snippet anyway. Doesn't matter if I comment or uncomment it out. Same result "Bad password" error) <security-constraint>           <web-resource-collection>                <web-resource-name>All webservices</web-resource-name>                <description>Protects all webservices</description>                <url-pattern>/service</url-pattern>           </web-resource-collection>           <auth-constraint>                <role-name>admissions-viewer</role-name>                <role-name>friend</role-name>           </auth-constraint>      </security-constraint>      <security-role>           <role-name>admissions-viewer</role-name>      </security-role>      <security-role>           <role-name>friend</role-name>      </security-role>      <security-role>          <role-name>admissions-manager</role-name>      </security-role>      <login-config>           <auth-method>BASIC</auth-method>           <realm-name>Verifiq Webservices Realm</realm-name>      </login-config> I've gone over it countless times & I'm just frustrated. It really shouldn't be that hard to get it to work...in theory :-) Is there anything I'm missing? TIA, Judes Tumuhairwe References: [1] http://community.jboss.org/docs/DOC-13533 http://community.jboss.org/wiki/JBossWS-Authentication [2] http://www.coderanch.com/t/477889/JBoss/Securing-Application-JBoss http://www.coderanch.com/t/477889/JBoss/Securing-Application-JBoss [3] http://thatjavathing.blogspot.com/2009/05/authentication-and-authorizatio... http://thatjavathing.blogspot.com/2009/05/authentication-and-authorizatio... -------------------------------------------------------------- Reply to this message by going to Community [http://community.jboss.org/message/565984#565984] Start a new discussion in JBoss Web Services at Community [http://community.jboss.org/choose-container!input.jspa?contentType=1&...]