[jboss-jira] [JBoss JIRA] (WFLY-4289) Authentication bug on one-way JAX-WS methods

Jim Ma (JIRA) issues at jboss.org
Thu Apr 16 23:31:19 EDT 2015 

    [ https://issues.jboss.org/browse/WFLY-4289?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13059937#comment-13059937 ] 

Jim Ma commented on WFLY-4289:
------------------------------

[~jakub_grabowski] thanks for another try. I saw this authorization failure too. It is caused by one-way ejb server side invocation is executed in another thread by cxf stack. I've created https://issues.jboss.org/browse/JBWS-3905 and fixed this by setting use original thread in cxf message for one way operation. This fix should be included in the next Wildfly9 release. 
To quickly resolve this for you deployment, you can add a cxf interceptor like the EjbWSOneWayThreadInterceptor in  [1], and added it to this ejb deployment with a jboss-webserivices.xml , like [2].
I added a new test case testMethodLevelRolesAllowedOneWay() in SecurityDomainTestCase to cover this scanerio. 
Please let me know if this works for you. 
[1]http://anonsvn.jboss.org/repos/jbossws/stack/cxf/trunk/modules/server/src/main/java/org/jboss/wsf/stack/cxf/interceptor/MessagePropertySettingInterceptor.java
[2] http://anonsvn.jboss.org/repos/jbossws/stack/cxf/trunk/modules/testsuite/shared-tests/src/test/resources/jaxws/samples/securityDomain/jboss-webservices.xml

> Authentication bug on one-way JAX-WS methods
> --------------------------------------------
>
>                 Key: WFLY-4289
>                 URL: https://issues.jboss.org/browse/WFLY-4289
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security, Web Services
>    Affects Versions: 8.2.0.Final
>            Reporter: Jakub Grabowski
>            Assignee: Jim Ma
>
> 1. For two-way methods basic authentication and autorization works fine. User is authenticated with LDAP module and gets proper role that autorizes invocation. It works just fine. By two-way method I mean method with input and output message defined in WSDL.
> 2. For one-way methods (return type void) user is not authenticated properly. It results in denial of method invocation.
> 3. When I remove @RolesAllowed declaration I can see that for two-way methods authentication is correct (pricipal is set to logged user), but for one-way it's not - I get "anonymous" as principal.
> 4. When I change one-way method to have input and output messages defined in WSDL and update implementation accordingly it suprisingly starts to work as expected.
> It's quite serious issue, because currently there's no way to have authorized access to oneway webservice methods.



--
This message was sent by Atlassian JIRA
(v6.3.11#6341)

More information about the jboss-jira mailing list