I just spent about 5 painful hours working through various combinations or tags, looking at the JBoss wiki, and eventually the source code for JBossAuthenticationHandler and the contents of jboss-net_ejb_xml.xdt in the xdoclet-module-jboss-net.jar that I have.
Turns out that my xdoclet-module-jboss-net.jar does NOT understand the "validate-unauthenticated-calls" tag. The default in the JBossAuthenticationHandler is "false". According to notes in the source code, one would set "validateUnauthenticatedCalls" to "true" to handle clients that cannot (or won't) pre-authenticate. Note: there is a page at: http://www.jboss.org/developers/guides/jboss.net/security that says just the opposite and states to set "validateUnauthenticatedCalls" to "false". This doesn't agree with the comments in the source code ..... this cost me must frustration and hair loss. So, to get to the point, you'll need to manually edit the "requestFlow" section of your "web-service.xml". You might start with the version that xdoclet generates and then fix up the "requestFlow" section similar to the following: | <requestFlow name="MyRequest"> | <!-- authentication runs against the jaas:/other domain --> | <handler type="java:org.jboss.net.axis.server.JBossAuthenticationHandler"> | <parameter name="securityDomain" value="java:/jaas/other"/> | <parameter name="validateUnauthenticatedCalls" value="true"/> | </handler> | <!-- authorization runs against the jaas:/other domain --> | <handler type="java:org.jboss.net.axis.server.JBossAuthorizationHandler"> | <parameter name="securityDomain" value="java:/jaas/other"/> | <parameter name="allowedRoles" value="myrole"/> | </handler> | </requestFlow> | I've run several tests with .Net and Perl SOAP::Lite clients and this works for me. Forget about using "this.PreAuthenticate = true;" in your .Net proxy class. It might pre-authenticate subsequent webservice calls (haven't tested that), but it will NOT pre-authenticate the first call. I've even seen posts on .Net sites about forcibly adding an authenticate header - but from my tests, .Net will silently remove any attempt to do that. Hope this helps, Lance View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3841787#3841787 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3841787 ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user