[jboss-user] [JBoss AS Documentation] - JBoss AS 7 security problem

mateo01 do-not-reply at jboss.com
Fri Nov 18 16:34:26 EST 2011 

mateo01 [http://community.jboss.org/people/mateo01] created the discussion

"JBoss AS 7 security problem"

To view the discussion, visit: http://community.jboss.org/message/637264#637264

--------------------------------------------------------------
Hi everyone!

I use Jboss As 7 for my new application which contans some EJB components connected with one main EJB marked as Webservice (JAX-WS). I am connecting to this service from standalone test application and everythink woks fine. But I wanted to implement authentication and authorization so head of my web-service implementor class look like this:

@Stateless
@SchemaValidation(enabled = true)
@WebService(wsdlLocation = "/META-INF/wsdl/invoiceservice.wsdl")

@SecurityDomain("jboss-domain")
@DeclareRoles({"moderator"})
@RolesAllowed({})
public class InvoiceServiceImpl implements Invoiceservice {


     @Override
    @TransactionAttribute(TransactionAttributeType.REQUIRED)
    @DenyAll
    public CreateDocumentRS createDocument(CreateDocumentRQ payload) throws BusinessException {

     .....some code
}
}

I have also configured security domain in standalone.xml - it looks like this:

               security-domain name="jboss-domain" cache-type="default">
                    <authentication>
                        <login-module code="UsersRoles" flag="required">
                            <module-option name="usersProperties" value="ejb3users.properties"/>
                            <module-option name="rolesProperties" value="ejb3roles.properties"/>
                            <module-option name="unauthenticatedIdentity" value="nobody"/>
                        </login-module>
                    </authentication>
                </security-domain>

files ejb3users.properties and ejb3roles.properties are stored in same directory as standalone.xml

and now when I'm trying to connect to webservice with my standalone application (without setting username and password) everythink works, every method which should be denied executes without any exception.

Could you guys advice me what am I doing wrong? Maybe it is something more what should I configure?

Thanks in advance for any thoughts!
--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/637264#637264]

Start a new discussion in JBoss AS Documentation at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2079]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20111118/aa3463a3/attachment.html

More information about the jboss-user mailing list