[jbossws-dev] [Design of JBoss Web Services] - Re: WS4EE and AS5

sguilhen@redhat.com do-not-reply at jboss.com
Tue Aug 26 15:21:17 EDT 2008 

Alessio is right when he says the endpoint servlet is not called. Running the tests with TRACE enabled for org.jboss.security shows us the following:


  | 2008-08-26 14:30:19,078 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.JACCAuthorizationModule:{}required}is:[required]
  | 2008-08-26 14:30:19,079 TRACE [org.jboss.security.authorization.modules.web.WebJACCPolicyModuleDelegate] (http-127.0.0.1-8080-1) resourceCheck=false : userDataCheck=true : roleRefCheck=false
  | 2008-08-26 14:30:19,080 TRACE [org.jboss.security.authorization.modules.web.WebJACCPolicyModuleDelegate] (http-127.0.0.1-8080-1) hasUserDataPermission, p=(javax.security.jacc.WebUserDataPermission / POST)
  | 2008-08-26 14:30:19,080 TRACE [org.jboss.security.jacc.ContextPolicy] (http-127.0.0.1-8080-1) No principals found in domain: ProtectionDomain  null
  |  null
  |  <no principals>
  |  java.security.Permissions at 1ed6d94 (
  |  (javax.security.jacc.EJBMethodPermission RoleSecuredSLSB)[*:*()]
  |  (javax.security.jacc.EJBMethodPermission BasicSecuredSLSB)[*:*()]
  |  [RoleSecuredSLSB,role-ref=friend]
  | )
  | 
  | 
  | 2008-08-26 14:30:19,080 TRACE [org.jboss.security.jacc.DelegatingPolicy] (http-127.0.0.1-8080-1) implied=false
  | 2008-08-26 14:30:19,080 TRACE [org.jboss.security.authorization.modules.web.WebJACCPolicyModuleDelegate] (http-127.0.0.1-8080-1) Denied: (javax.security.jacc.WebUserDataPermission / POST)
  | 2008-08-26 14:30:19,080 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-1) Error in authorize:
  | org.jboss.security.authorization.AuthorizationException: Authorization Failed:Denied.
  |         at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:268)
  |         at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67)
  |         at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:153)
  |         at java.security.AccessController.doPrivileged(Native Method)
  |         at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:149)
  |         at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:455)
  |         at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:121)
  |         at org.jboss.security.plugins.javaee.WebAuthorizationHelper.hasUserDataPermission(WebAuthorizationHelper.java:179)
  |         at org.jboss.web.tomcat.security.JBossWebRealm.hasUserDataPermission(JBossWebRealm.java:614)
  |         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:461)
  |         at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:90)
  |         at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:96)
  |         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
  |         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
  |         at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
  |         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  |         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:325)
  |         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
  |         at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
  |         at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
  |         at java.lang.Thread.run(Thread.java:595)
  | 2008-08-26 14:30:19,080 TRACE [org.jboss.security.plugins.javaee.WebAuthorizationHelper] (http-127.0.0.1-8080-1) hasRole check failed:Authorization Failed:Denied.
  | 

As we can see, JBossAuthorizationContext doesn't grant access to the endpoint servlet. So, either we have an incomplete policy or we are inappropriately performing authorization checks on this servlet.

 anonymous wrote : 
  | Please note that it seems to me the ws calls are rejected in the same way even when using the right principal/credential
  | 

You are probably right here. The tests would fail even when using the right authentication info because access to the endpoint servlet would be rejected anyway.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4172689#4172689

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4172689

More information about the jbossws-dev mailing list