[jboss-jira] [JBoss JIRA] (WFLY-4289) Authentication bug on one-way JAX-WS methods

Jakub Grabowski (JIRA) issues at jboss.org
Tue Jan 27 06:21:49 EST 2015 

    [ https://issues.jboss.org/browse/WFLY-4289?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13035273#comment-13035273 ] 

Jakub Grabowski edited comment on WFLY-4289 at 1/27/15 6:21 AM:
----------------------------------------------------------------

And the code that demonstrates issue:

{code}
@Stateless
@WebService
@DeclareRoles("user")
@Local(IMessageSender.class)
@WebContext(authMethod = "BASIC")
public class MessageSender implements IMessageSender {
    
    @RolesAllowed("user")
    @Oneway
    public void fails(long l) {
        System.out.println(">>>>>: " + l);
    }
    
    @RolesAllowed("user")
    public void works(long l) {
        System.out.println(">>>>>: " + l);
    }
}
{code}


was (Author: jakub_grabowski):
And the code that demonstrates issue:

@Stateless
@WebService
@DeclareRoles("user")
@Local(IMessageSender.class)
@WebContext(authMethod = "BASIC")
public class MessageSender implements IMessageSender {
    
    @RolesAllowed("user")
    @Oneway
    public void fails(long l) {
        System.out.println(">>>>>: " + l);
    }
    
    @RolesAllowed("user")
    public void works(long l) {
        System.out.println(">>>>>: " + l);
    }
}

> Authentication bug on one-way JAX-WS methods
> --------------------------------------------
>
>                 Key: WFLY-4289
>                 URL: https://issues.jboss.org/browse/WFLY-4289
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security, Web Services
>    Affects Versions: 8.2.0.Final
>            Reporter: Jakub Grabowski
>            Assignee: Darran Lofthouse
>
> 1. For two-way methods basic authentication and autorization works fine. User is authenticated with LDAP module and gets proper role that autorizes invocation. It works just fine. By two-way method I mean method with input and output message defined in WSDL.
> 2. For one-way methods (return type void) user is not authenticated properly. It results in denial of method invocation.
> 3. When I remove @RolesAllowed declaration I can see that for two-way methods authentication is correct (pricipal is set to logged user), but for one-way it's not - I get "anonymous" as principal.
> 4. When I change one-way method to have input and output messages defined in WSDL and update implementation accordingly it suprisingly starts to work as expected.
> It's quite serious issue, because currently there's no way to have authorized access to oneway webservice methods.



--
This message was sent by Atlassian JIRA
(v6.3.11#6341)

More information about the jboss-jira mailing list