[jboss-user] [EJB 3.0] - Security question about DatabaseServerLoginModule and SOAPFaultException

[André Simões]

André Simões [http://community.jboss.org/people/asimoes] created the discussion

"Security question about DatabaseServerLoginModule and SOAPFaultException"

To view the discussion, visit: http://community.jboss.org/message/567219#567219

--------------------------------------------------------------
Hi.
I want to know how can i solve the SOAPFaultException error that jboss send when a valid user try to access to a role that do not belong to it.

Example of code exception with a C# client


@WebContext(contextRoot = "/HeComm", transportGuarantee = "NONE", authMethod = "BASIC", secureWSDLAccess = false)
@SecurityDomain("DBLogin")
@PermitAll
@RolesAllowed({"admin", "ws"})
public class WebSecurityBean implements WebSecurity{
    
    @WebMethod
    @RolesAllowed({"admin"})
    public String echoForAdministrator(String str) {
        checkPrincipal();
        log.debug(str);
        return str;
    }
 
    @WebMethod
    @PermitAll
    public String echoForAll(String str) {
        checkPrincipal();
        log.debug(str);
        return str;
    }
 
    @WebMethod
    @DenyAll
    public String echoForNobody(String str) {
        checkPrincipal();
        log.debug(str);
        return str;
    }
 
    @WebMethod
    @RolesAllowed({"ws"})
    public String echoForUser(String str) {
        checkPrincipal();
        log.debug(str);
        return str;
    }
    
    @WebMethod
    @RolesAllowed({"ManageUsers"})
    public String echoForManageUsers(String str) {
        checkPrincipal();
        log.debug(str);
        return str;
    }

}

If my C# client have invalid user or password, jboss sends a message telling that.
If my C# client hava valid user a password, jboss throws an exception in methods that are not allowed to my user role.

My user have role "ws" and if i call method  echoForAdministrator or echoForNobody or echoForManageUsers I got an exception that starts like this:

ERROR [SOAPFaultHelperJAXWS] SOAP request exception
javax.ejb.EJBAccessException: Caller unauthorized
 at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:199)
. . . .

In C# i got an exception that is ok, the user are not allowed to use this method, but why jboss receive an error exception from soap?

Can I do something to eliminate this exception?

I'm using JBOSS 5.10 and authentication on oracle db.
--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/567219#567219]

Start a new discussion in EJB 3.0 at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2029]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20101019/543ef5a7/attachment.html