-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 03, 2002 3:33 AM
To: [EMAIL PROTECTED]
Subject: Session full web service with ejb provider and JAAS security
I have been playing with axis beta1, jboss2.4.4 with tomcat4.0.1 bundled together in order to create a web service with an ejb implementation.
It is working quite well. By doing a stateful ejb, I also played with the request, session and application scope of the web service and the whole chain is working fine. The stateful ejb is doing what it is supposed to do, and with a session scope web service, axis is making sure that my ejb client session is reused across requests.
I also managed to setup JAAS permissions on the ejb and having the web service client code to login in order to make a successful call.
I have actually two questions:
1) May be this is due to my poor knowledge of ejb, but I read in a couple of places that the stateful ejb will be maintained by the ejb container as long as the client is not timing out (or explicitly calling remove). What does this mean in the axis context? If I declare my web service with an application scope, does it mean that my stateful bean will always be maintained (as long as ejb container does not stop)? In the case of a session scope, with a java client program to the web service, what does it mean to timeout and if it can timeout, is it propagated to the ejb stateful bean? Obviously, if the Call object that I am using to do the web service calls is destroyed, the ejb stateful bean is recycled. But does it mean that it will never be recycled as long as this object is alive?
2) The second question is actually more a problem than a question. When setting JAAS security on the ejb implementation, if the web service client code is getting a security exception, it seems that I can not do any further call to the web service. In the axis client code included below, I login as user1. user1 has the right to call getValue, but not setValue (those rights are defined through JAAS permissions on the ejb implementation: some <method-permission> in the ejb-jar.xml used to deploy the ejb). Calling getValue is working ok. When calling setValue, I get an exception. So far, so good. Trying to call getValue again, and I get some weird exceptions. Any ideas?
Thanks.
Thomas
Code:
======
System.out.println ("user1");
Service service = new Service ();
Call call = (Call) service.createCall ();
call.setTargetEndpointAddress (new java.net.URL (END_POINT_URL));
call.setUsername ("user1");
call.setPassword ("user1");
call.setMaintainSession (true);
call.setOperationName (new QName ("Demo", "getValue"));
System.out.println (call.invoke (new Object []{}));
try {
call.setOperationName (new QName ("Demo", "setValue"));
call.invoke (new Object []{user + " value"});
}
catch (Exception e) {
System.out.println (e);
}
call.setOperationName (new QName ("Demo", "getValue"));
System.out.println (call.invoke (new Object []{}));Output:
======
run-axis-client:
[java] user1
[java] getValue return
[java] java.rmi.ServerException: Transaction rolled back; nested exception is:
[java] java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
[java] java.lang.SecurityException: Insufficient method permissions, principal=user1, method=setValue, requiredRoles=[role2], principalRoles=[role1, guest]
[java] java.rmi.NoSuchObjectException: Could not activate; nested exception is:
[java] java.io.FileNotFoundException: H:\JBoss-2.4.4_Tomcat-4.0.1\jboss\db\sessions\Demo\1020409195143.ser (Thesystem cannot find the file specified)
Title: Session full web service with ejb provider and JAAS security
I
figured out the answers to my questions.
Let me
reply to myself, just in case somebody else is interested.
1) The
stateful bean stopped to be maintained by the ejb container in the following
cases:
- timing out in the ejb container. The ejb container, when
the stateful is not used for a while, can destroy the bean. I did not find any
code in the Axis EJBProvider to handle that correctly
(axis-beta2).
- if the ejb client object (the object created by the
EJBProvider) is explicitly calling remove, it will recycle the stateful bean. I
did not see any code in Axis to do this kind of cleanup if the Axis session
times out.
I was
actually wrong when saying that destroying the Call object will recycle the
stateful bean. When the Call object is destroyed (actually, it is more when my
java axis client program finishes), the axis session will eventually timeout (I
guess) and the ejb client will disapear, but as I said above, I did not see any
code in Axis for a proper cleanup of the ejb (remove should be
called).
2) The
problem has nothing to do with Axis. My ejb container is JBoss, and their
interpretation of the EJB spec is that a security exception is a runtime
exception and a runtime exception is destroying the stateful bean. So after the
first security exception, the stateful bean is gone, but axis is still caching
the ejb client object to this bean, so when I invoke a new web service
operation, I get some object not found type of exceptions. I sent another post
in the axis-dev list to find out if I have a way, from the client, to remove the
cached service object in a session scope service. No answers
yet.
Thomas
- Session full web service with ejb provider and JAAS se... thomas . cherel
- RE: Session full web service with ejb provider an... jean-claude . mamou
- Re: Session full web service with ejb provider an... thomas . cherel
- Re: Session full web service with ejb provide... Adam Greene
- RE: Session full web service with ejb provider an... thomas . cherel
