[jboss-jira] [JBoss JIRA] (WFLY-4289) Authentication bug on one-way JAX-WS methods

Jim Ma (JIRA) issues at jboss.org
Sun Mar 15 23:49:19 EDT 2015 

    [ https://issues.jboss.org/browse/WFLY-4289?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13050290#comment-13050290 ] 

Jim Ma commented on WFLY-4289:
------------------------------

This issue should be fixed after the change:https://github.com/wildfly/wildfly/commit/1c56cbacb3699f3d506fd4b2418b575156d179f6. There is oneway test added  in http://anonsvn.jboss.org/repos/jbossws/stack/cxf/trunk/modules/testsuite/shared-tests/src/test/java/org/jboss/test/ws/jaxws/samples/securityDomain/SecurityDomainTestCase.java to check this. Tomas and Jakub, please let me know if anything else I need to have a look. Thanks.

> Authentication bug on one-way JAX-WS methods
> --------------------------------------------
>
>                 Key: WFLY-4289
>                 URL: https://issues.jboss.org/browse/WFLY-4289
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security, Web Services
>    Affects Versions: 8.2.0.Final
>            Reporter: Jakub Grabowski
>            Assignee: Tomas Hofman
>
> 1. For two-way methods basic authentication and autorization works fine. User is authenticated with LDAP module and gets proper role that autorizes invocation. It works just fine. By two-way method I mean method with input and output message defined in WSDL.
> 2. For one-way methods (return type void) user is not authenticated properly. It results in denial of method invocation.
> 3. When I remove @RolesAllowed declaration I can see that for two-way methods authentication is correct (pricipal is set to logged user), but for one-way it's not - I get "anonymous" as principal.
> 4. When I change one-way method to have input and output messages defined in WSDL and update implementation accordingly it suprisingly starts to work as expected.
> It's quite serious issue, because currently there's no way to have authorized access to oneway webservice methods.



--
This message was sent by Atlassian JIRA
(v6.3.11#6341)

More information about the jboss-jira mailing list