-
1. Re: @DenyAll on EJB methods
jaikiran Apr 25, 2013 10:01 PM (in response to jerviver21)Which version of JBoss AS? What does your bean code look like and how are you invoking it?
-
2. Re: @DenyAll on EJB methods
jerviver21 Apr 26, 2013 1:44 PM (in response to jaikiran)I'm using jboss-as-7.1.1.Final
I have web service:
package edu.vi.service;
import javax.annotation.security.DenyAll;
import javax.annotation.security.RolesAllowed;
import javax.jws.WebMethod;
import javax.jws.WebService;
import org.jboss.security.annotation.SecurityDomain;
@WebService
@SecurityDomain("JbosWS")
@DenyAll
public class ServiceImpl {
@WebMethod
@RolesAllowed("Admin")
public String saludo(String nombre){
System.out.println("Hola "+nombre+"!!!");
return "Hola "+nombre+"!!!";
}
@WebMethod
public String despedida(String nombre){
System.out.println("Chao "+nombre+"!!!");
return "Chao "+nombre+"!!!";
}
}
My security domain is configured:
<security-domain name="JBossWS">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/jbossws-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/jbossws-roles.properties"/>
<module-option name="unauthenticatedIdentity" value="anonymous"/>
</login-module>
</authentication>
</security-domain>
My jbossws-users.properties:
kermit=thefrog
paul=condori
my jbossws-roles.properties
kermit=Admin
paul=Guest
The web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<servlet>
<servlet-name>HelloService</servlet-name>
<servlet-class>edu.vi.service.ServiceImpl</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HelloService</servlet-name>
<url-pattern>/hello</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>WRCollection</web-resource-name>
<url-pattern>/hello</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>Admin</role-name>
</security-role>
<security-role>
<role-name>Guest</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</web-app>
The jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/JBossWS</security-domain>
<context-root>/JbossWSE7</context-root>
</jboss-web>
And my client is:
package jbosswse7client;
import edu.vi.service.ServiceImpl;
import edu.vi.service.ServiceImplService;
import javax.xml.ws.BindingProvider;
public class JbossWSE7Client {
public static void main(String[] args) {
ServiceImplService service = new ServiceImplService();
ServiceImpl port = service.getServiceImplPort();
((BindingProvider)port).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "kermit");
((BindingProvider)port).getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "thefrog");
System.out.println(port.saludo("JERSON"));
System.out.println(port.despedida("JERSON"));
}
}
An the output when i run the client is:
#Hola JERSON
#Chao JERSON
It supposed to throw an Exception when call port.despedida("JERSON") becasue is Deny. What could be the problem?
-
3. Re: @DenyAll on EJB methods
jaikiran Apr 26, 2013 10:48 PM (in response to jerviver21)I don't see a EJB anywhere in there. This looks like a WebService question. I don't have enough knowledge about how security is specified/implemented for webservices which aren't backed by EJBs. I'll see if someone from the WS team can take a look at this.
-
4. Re: @DenyAll on EJB methods
sfcoy Apr 28, 2013 3:41 AM (in response to jerviver21)Is this:
{code:java}@SecurityDomain("JbosWS"){code}
a typo?
-
5. Re: @DenyAll on EJB methods
jerviver21 Apr 29, 2013 9:14 AM (in response to sfcoy)Stephen:
A security domain!
In standalone.xml, I configured:
<security-domain name="JBossWS">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/jbossws-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/jbossws-roles.properties"/>
<module-option name="unauthenticatedIdentity" value="anonymous"/>
</login-module>
</authentication>
</security-domain>
So I put the annotation, in order to my application autenthicated with this security domain and no other.
Jaikiran:
That really happen me in all levels, the last I probed was a web service, but if I implement an EJB or a simple Servlet, it work in the same way, ignoring the @DenyAll anotation or @Deny or @RolesAllowed
-
6. Re: @DenyAll on EJB methods
sfcoy Apr 29, 2013 9:31 AM (in response to jerviver21)Look closer.
"JbosWS"
? -
7. Re: @DenyAll on EJB methods
jerviver21 Apr 29, 2013 9:41 AM (in response to sfcoy)you right!!
I made the correction:
@WebService
@SecurityDomain("JBossWS")
@DenyAll
public class ServiceImpl {
@WebMethod
@RolesAllowed("Admin")
public String saludo(String nombre){
System.out.println("Hola "+nombre+"!!!");
return "Hola "+nombre+"!!!";
}
@WebMethod
public String despedida(String nombre){
System.out.println("Chao "+nombre+"!!!");
return "Chao "+nombre+"!!!";
}
}
But it works in the same way, ignoring the @DenyAll anotation!
-
8. Re: @DenyAll on EJB methods
sfcoy Apr 29, 2013 10:36 AM (in response to jerviver21)Well, I think it should work.
However, the specs (even in JEE7) are kind of vague about it, simply saying that the "EJB" and "Web" containers must support them, without mentioning which managed objects this would include. To muddy the water even further, the Servlet 3.0 spec added in explicit support and then removed it again following the public review phase.
The WildFly source base only contains a test for EJB style web services that use these annotations.
-
9. Re: @DenyAll on EJB methods
dlofthouse Apr 29, 2013 10:43 AM (in response to jerviver21)I think you have the wrong @SecurityDomain annotation, can you try switching to the one in the package 'org.jboss.ejb3.annotation'.