[jboss-jira] [JBoss JIRA] (WFLY-4289) Authentication bug on one-way JAX-WS methods
Kabir Khan (JIRA)
issues at jboss.org
Wed Dec 6 12:20:11 EST 2017
[ https://issues.jboss.org/browse/WFLY-4289?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kabir Khan updated WFLY-4289:
-----------------------------
Fix Version/s: 9.0.0.Final
> Authentication bug on one-way JAX-WS methods
> --------------------------------------------
>
> Key: WFLY-4289
> URL: https://issues.jboss.org/browse/WFLY-4289
> Project: WildFly
> Issue Type: Bug
> Components: Security, Web Services
> Affects Versions: 8.2.0.Final
> Reporter: Jakub Grabowski
> Assignee: Jim Ma
> Fix For: 9.0.0.Final
>
>
> 1. For two-way methods basic authentication and autorization works fine. User is authenticated with LDAP module and gets proper role that autorizes invocation. It works just fine. By two-way method I mean method with input and output message defined in WSDL.
> 2. For one-way methods (return type void) user is not authenticated properly. It results in denial of method invocation.
> 3. When I remove @RolesAllowed declaration I can see that for two-way methods authentication is correct (pricipal is set to logged user), but for one-way it's not - I get "anonymous" as principal.
> 4. When I change one-way method to have input and output messages defined in WSDL and update implementation accordingly it suprisingly starts to work as expected.
> It's quite serious issue, because currently there's no way to have authorized access to oneway webservice methods.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list