[jboss-user] [JBossWS] - Help with authMethod and security after JBoss501 upgrade

lukeb do-not-reply at jboss.com
Mon Mar 2 07:02:45 EST 2009 

I'm upgrading from 422 to 501 and I'm having security related issues which I'll explain below.

I have a legacy webservice I expose in the following way.


  | @Stateless
  | @WebService(name = "MyWebService", targetNamespace = "http://my.services.web", serviceName = "MyWebServiceName")
  | @WebContext(contextRoot = "/MyEar", transportGuarantee = "NONE", authMethod = "NONE")
  | @SOAPBinding(parameterStyle = SOAPBinding.ParameterStyle.WRAPPED, style = SOAPBinding.Style.DOCUMENT, use = SOAPBinding.Use.LITERAL)
  | @PermitAll
  | public final class MyWebServiceBean {
  | 
  |     @WebMethod
  |     @PermitAll
  |     public final String doStuff() {
  |         return "i've done stuff";
  |     }
  | }
  | 


In 501 this all deploys ok and I can see the wsdl in the jbossws console.

However when I try to call the webservice from my test harness, I get a 403 forbidden at the client and the following in the logs:


  | 10:32:14,657 DEBUG [MapperListener] Handle jboss.web:type=RequestProcessor,worker=http-0.0.0.0-8080,name=HttpRequest1 type : JMX.mbean.registered
  | 10:32:14,766 TRACE [SecurityRolesAssociation] Setting threadlocal:{}
  | 10:32:14,766 TRACE [JaccContextValve] MetaData:org.jboss.metadata.web.jboss.JBossWebMetaData at 1f:principalToRoleSetMap{}
  | 10:32:14,766 DEBUG [AuthenticatorBase] Security checking request POST /MyEar/MyWebServiceBean
  | 10:32:14,766 DEBUG [RealmBase]   Checking constraint 'SecurityConstraint[/MyWebServiceBean]' against POST //MyWebServiceBean --> true
  | 10:32:14,782 DEBUG [AuthenticatorBase]  Calling hasUserDataPermission()
  | 10:32:14,782 DEBUG [RealmBase]   User data constraint has no restrictions
  | 10:32:14,828 TRACE [JBossAuthorizationContext] Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.mo
  | dules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
  | 10:32:14,844 DEBUG [AuthenticatorBase]  Calling authenticate()
  | 10:32:14,844 DEBUG [[/MyEar] User authentication is not required
  | 10:32:14,844 DEBUG [AuthenticatorBase]  Calling accessControl()
  | 10:32:14,844 DEBUG [RealmBase]   Checking roles null
  | 10:32:14,860 DEBUG [RealmBase]   No user authenticated, cannot grant access
  | 10:32:14,860 TRACE [JBossWebRealm] hasResourcePerm:RealmBase says:false::Authz framework says:false:final=false
  | 10:32:14,860 DEBUG [AuthenticatorBase]  Failed accessControl() test
  | 10:32:14,860 TRACE [SecurityRolesAssociation] Setting threadlocal:null
  | 10:32:14,860 TRACE [SecurityRolesAssociation] Setting threadlocal:null
  | 

The parts of the logging above that stand out to me are, 

[/MyEar] User authentication is not required

and

[RealmBase]   No user authenticated, cannot grant access

...and these seem at odds with each other.

I've tried setting @SecurityDomain to "" and that didn't make any difference.

Note that my stateless bean is within an ejb3 jar within an ear. The ear has a custom security-domain declared in the jboss-app.xml.

Does anyone have any suggestions, I need to web service to ideally work as before, changing the clients would have to be a last resort.

Thanks

Luke


View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4214137#4214137

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4214137

More information about the jboss-user mailing list