Skip navigation

3 Replies Latest reply on May 8, 2014 10:08 AM by morettileo

JBossWS-CXF - Unexpected authorization check when calling an unprotected resource

lpedriali Feb 19, 2014 11:37 AM

When calling a resource defined inside a war, where no authorization annotations on the service and no security constraints on the web.xml have been defined, I obtain the following stackTrace error:

Caused by: javax.ejb.EJBAccessException: Invalid User

at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:161) [:1.7.21]

at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]

at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41) [:1.7.21]

at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]

at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67) [:1.7.21]

at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]

at org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:47) [1.7.21]

at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]

at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67) [:1.0.1]

at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]

at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86) [:1.7.21]

at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]

at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:272) [:1.7.21]

at org.jboss.ejb3.stateless.StatelessContainer.invokeEndpoint(StatelessContainer.java:617) [:1.7.21]

at org.jboss.webservices.integration.invocation.InvocationHandlerEJB3.invoke(InvocationHandlerEJB3.java:137) [:6.1.0.Final]

at org.jboss.wsf.stack.cxf.AbstractInvoker._invokeInternal(AbstractInvoker.java:164) [:3.4.1.GA]

... 38 more

I just define a security domain in a jboss-app.xml in the META-INF folder of my ear.

The application package configuration is:

myEar.ear

|

|--META-INF

| |

| |-application.xml

| |-jboss.app.xml

|

|---lib

|

|--myJar.jar

|--myWar.war

|

|---------WEB-INF

|

|-resources.jar

|-web.xml

My jboss-app.xml is:

<?xml version="1.0" encoding="UTF-8"?>

<jboss-app>

<security-domain>myDomain</security-domain>

</jboss-app>

myDomain refers to an application-policy defined in the login-config.xml file, containing a custom login module.

Why security is involved during this process, even if not security constraints have been defined? I'm using JBoss 6.1.0.Final

1. Re: JBossWS-CXF - Unexpected authorization check when calling an unprotected resource

asoldano Mar 24, 2014 5:41 AM (in response to lpedriali)

As far as I can see from the exception above, the WS endpoint being invoked is a EJB3 based endpoint. That will use the configured security domain for authentication, defined either through a @SecurityDomain annotation or (as in your case) security-domain declaration in a deployment descriptor.
Actions
2. Re: JBossWS-CXF - Unexpected authorization check when calling an unprotected resource

lpedriali Mar 31, 2014 5:01 AM (in response to asoldano)

Yes, the WS endpoint is an EJB3 based endpoint. But is enough to define a security domain to activate the authentication to each resource inside the ear? Is this the expected behaviour in JBoss 6? In JBoss 7, with the same ear configuration, authentication is not called.
Actions
3. Re: JBossWS-CXF - Unexpected authorization check when calling an unprotected resource

morettileo May 8, 2014 10:08 AM (in response to asoldano)

What you said lets me suppose the definition of a security domain should enable automatically authentication for any endpoint in the scope of the security domain (ear in this case, because defined into jboss-app.xml). Even if no security annotation (@RolesAllowed or other) has been defined in the endpoint!!!
This sounds me strange, but if this is the expected behaviour, then we have a security bug in JBoss 7.1.1.Final, where the definition of a security domain enables authentication only for protected endpoints, i.e. where security annotations have been defined, and endpoint without security annotations doesn't require any authentication!
Actions

Go to original post