[jboss-user] [Security & JAAS/JBoss] - EJB3 Endpoint Authentication Problems

elcapitan do-not-reply at jboss.com
Tue Dec 19 19:43:22 EST 2006


G'day all,

I'm trying to expose an EJB3 stateless session bean as a webservice, and I'm running into problems with authentication. If I leave all security considerations out, the bean exposes nicely, and I can interact with it using soapUI or a standalone Java client. However, when I start trying to add declarative security, things start falling over.

I have specified a security domain for the SEI, using the @SecurityDomain("myDomain") annotation. I've also modified the conf/login-config.xml file to include the following entry for this domain (I've also created the user and role files as specified):

  |     <application-policy name="webcrawler">
  |       <authentication>
  | 	  <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
  | 				flag="required">
  | 	    <module-option name="usersProperties">props/webcrawler-users.properties</module-option>
  | 	    <module-option name="rolesProperties">props/webcrawler-roles.properties</module-option>
  | 	    <!--<module-option name="unauthenticatedIdentity">anonymous</module-option>-->
  | 	  </login-module>
  | 	</authentication>
  |     </application-policy>
  | 
The unauthenticatedIdentity line worked as advertised, however I commented it out since I really don't want unauthenticated access.

As near as I can tell, since I'm using annotations, this should be sufficient to set up the server to authenticate access (my web methods are unchecked to keep things simple, however I'm using the getCallerPrincipal().getName() and isUserInRole() methods to test authentication).

This is where things start to get confused. I guess I have two questions:

1) Is it possible to authenticate on a per-request basis, or is it necessary to establish a login context on the client side somehow and export it to the server? The reason I ask is that I'd like to do load-testing using soapUI, which only seems to support per-request information by attaching username/password information as request headers to the SOAP message.

2) What would be the simplest way to authenticate a standalone client, not running inside an app-server? My current client-side approach involves including and compiling wstools-generated stubs, then using the following code to establish a connection:
URL url = null;
  | try {
  | 	url = new URL("http://localhost:8080/crawler/WatchListManager?wsdl");
  | } catch (MalformedURLException e) {
  | 	e.printStackTrace();
  | }
  | QName qname = new QName("http://servercontroller.application.server.webcrawler.thedistillery.com.au/jaws",
  | 	"WatchListManagerInterfaceService");
  | 	ServiceFactory factory = null;
  | Service service = null;
  | try {
  | 	factory = ServiceFactory.newInstance(); 
  | 	service = factory.createService(url, qname);// create service
  | } catch (ServiceException se) {
  | 	System.out.println("Couldn't create service");
  | }
  | 
  | WatchListManagerInterface cm = null;
  | try {
  | 	cm = (WatchListManagerInterface) service.getPort(WatchListManagerInterface.class);
  | 	
  | } catch (ServiceException e1) {
  | 	e1.printStackTrace();
  | }

Apologies if I'm missing something really basic, but I've been slamming my head against a wall for days now. :) Any help would be extremely appreciated.

James

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3995174#3995174

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3995174



More information about the jboss-user mailing list