AW: AW: [JBoss-user] Confused about Web Service Security...
Hi, I am trying to get basic auth to work. I am at the point where got my Java cleint passing the Authorization: Basic details and JBoss throwing back an error: AxisFault faultCode: {http://xml.apache.org/axis/}Server.userException faultString: javax.ejb.EJBException: checkSecurityAssociation; CausedByException is: Authentication exception, principal=null faultActor: null faultDetail: stackTrace: javax.ejb.EJBException: checkSecurityAssociation; CausedByException is: Authentication exception, principal=null I have my deployment descriptor generated by XDoclet and use a custom jaas module which I am trying to use both for Web Services and EJB. I changed the jboss-net.sar\jboss-net.war\WEB-INF\jboss-web.xml and the jboss-net.sar\axis-config.xml to use my module. (What is the role of each one?) The deployment file is: ?xml version=1.0 encoding=UTF-8? !-- -- !-- This JBoss.Net Web Service Descriptor has been generated by Doclet -- !-- and brought to you by F. M. Brier, C. G. Jung and J. ton -- !-- -- deployment name=Test xmlns=http://xml.apache.org/axis/wsdd/; targetNamespace=http://net.jboss.org/Test; xmlns:test=http://net.jboss.org/Test; xmlns:java=http://xml.apache.org/axis/wsdd/providers/java; !-- The following are declarations of service endpoints targetted to session beans -- service name=Test provider=Handler parameter name=handlerClass value=org.jboss.net.axis.server.EJBProvider/ parameter name=beanJndiName value=EJB/Session/TestEJB/Session/Local/Test/ parameter name=allowedMethods value=hello / requestFlow name=TestRequest handler type=java:org.jboss.net.axis.server.TransactionRequestHandler/ /requestFlow responseFlow name=TestResponse handler type=java:org.jboss.net.axis.server.SerialisationResponseHandler/ handler type=java:org.jboss.net.axis.server.TransactionResponseHandler/ /responseFlow /service !-- The following are typemappings for entity beans for implementing the implicit web-service value-object pattern -- !-- The following are typemappings for bean-type value-objects -- /deployment Thank you!!! Simone --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
AW: AW: [JBoss-user] Confused about Web Service Security...
Hi, I managed to do it, thank you anyway :) Simone Hi, I am trying to get basic auth to work. I am at the point where got my Java cleint passing the Authorization: Basic details and JBoss throwing back an error: AxisFault faultCode: {http://xml.apache.org/axis/}Server.userException faultString: javax.ejb.EJBException: checkSecurityAssociation; CausedByException is: Authentication exception, principal=null faultActor: null faultDetail: stackTrace: javax.ejb.EJBException: checkSecurityAssociation; CausedByException is: Authentication exception, principal=null I have my deployment descriptor generated by XDoclet and use a custom jaas module which I am trying to use both for Web Services and EJB. I changed the jboss-net.sar\jboss-net.war\WEB-INF\jboss-web.xml and the jboss-net.sar\axis-config.xml to use my module. (What is the role of each one?) The deployment file is: ?xml version=1.0 encoding=UTF-8? !-- -- !-- This JBoss.Net Web Service Descriptor has been generated by Doclet -- !-- and brought to you by F. M. Brier, C. G. Jung and J. ton -- !-- -- deployment name=Test xmlns=http://xml.apache.org/axis/wsdd/; targetNamespace=http://net.jboss.org/Test; xmlns:test=http://net.jboss.org/Test; xmlns:java=http://xml.apache.org/axis/wsdd/providers/java; !-- The following are declarations of service endpoints targetted to session beans -- service name=Test provider=Handler parameter name=handlerClass value=org.jboss.net.axis.server.EJBProvider/ parameter name=beanJndiName value=EJB/Session/TestEJB/Session/Local/Test/ parameter name=allowedMethods value=hello / requestFlow name=TestRequest handler type=java:org.jboss.net.axis.server.TransactionRequestHandler/ /requestFlow responseFlow name=TestResponse handler type=java:org.jboss.net.axis.server.SerialisationResponseHandler/ handler type=java:org.jboss.net.axis.server.TransactionResponseHandler/ /responseFlow /service !-- The following are typemappings for entity beans for implementing the implicit web-service value-object pattern -- !-- The following are typemappings for bean-type value-objects -- /deployment Thank you!!! Simone --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
AW: AW: [JBoss-user] Confused about Web Service Security...
Thanks for the feedback. You make my day. It would be interesting to know how to get basic-authentication to work from ..Net - if you get it to run, please tell us! CGJ -Ursprüngliche Nachricht- Von: Neal Sanche [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 26. Februar 2003 17:57 An: [EMAIL PROTECTED] Betreff: Re: AW: [JBoss-user] Confused about Web Service Security... Thanks Dr. Jung, It's really nice when things actually work as advertised. The problem that I was having was not with the XDoclet descriptors, or with any part of my build pipeline, it was actually the client that I was attempting to access the web service with. I first tried a simple Microsoft .NET client, and when I added tcpmon into the mix, I found it was not sending any basic auth information. So of course it was getting denied access. So, this morning I used the wsdl2java tool that comes with AXIS to generate the classes for the wsdl interface, and then I wrote a little bit of code, something like the following, based off the output to access the web service: public static void main(String[] args) { try { TestSessionLocalServiceLocator locator = new TestSessionLocalServiceLocator(); TestSessionLocal ts = locator.getLIMS(); LIMSSoapBindingStub stub = (LIMSSoapBindingStub)ts; stub.setUsername(admin); stub.setPassword(admin); System.err.println(ts.hello(Testing)); ts.testThisThing(); } catch (Throwable ex) { ex.printStackTrace(); } } And when I watched this through tcpmon I was able to clearly see that the basic-auth information was being sent, and my method call found its way down into the EJB session. Very nice. I even tried experimenting with changing the authentication XDoclet tags and found that really what you've done is added another layer of security for web services such that unauthorized users will be bounced even before the EJB layer is called if their role doesn't match. I guess I'll make some updates to the information on http://www.nsdev.org/jboss to get the security information straight there. Thanks for your help. -Neal On Wednesday 26 February 2003 04:56 am, Jung , Dr. Christoph wrote: Hi Neal, since Axis http-transport is realised through a single servlet, every security constraint that you would like specify at the transport level must go into the global web-application.xml that comes with the jboss-net.sar!jboss-net.war Since that is not very modular and since you would normally correctly shield your underlying J2EE logic, we decided to let the transport level open at this point. Instead, we included a (simple) per-web-service way of authentication and authorization through dedicated Axis interceptors (JBossAuthenticationHandler and JBossAuthorizationHandler, respectively). These interceptors should be put into the transport chain of your web service (I guess that the xdoclet module will do that automatically for you). They are paramterized, e.g., against a preconfigured JBoss security domain using SimplePrincipal. JBossAuthenticationHandler will authenticate the incoming call versus the assocoiated domain with the basic authentication info that comes through the http call (null Principal in case of no authentication info). With that security association the call will go further into the EJB layer of your application. Optionally, you can do additional security checks using JBossAuthorizationHandler that will simply implement an allowed/denied behaviour depending on the associated principals. I can only refer to the jboss.net testsuite in which there is a whole chapter dedicated to that issue. CGJ -Ursprüngliche Nachricht- Von: Neal Sanche [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 26. Februar 2003 00:45 An: [EMAIL PROTECTED] Betreff: [JBoss-user] Confused about Web Service Security... Hi All, Now that I have a simple web service running with JBoss.NET I'm now trying to enable access to a web service method that's secured by principals and roles within my EJB application. I'm completely confused about how to accomplish this on JBoss. Do I need to set up a security-constraint in my web.xml for this? So far, nothing that I've tried has sent a username and password from my client application to my web service. If anyone is doing this, please let me know how it's done. I'll post the findings up on my website as a future reference. -Neal --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user ### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.F-Secure.com
AW: [JBoss-user] Confused about Web Service Security...
Hi Neal, since Axis http-transport is realised through a single servlet, every security constraint that you would like specify at the transport level must go into the global web-application.xml that comes with the jboss-net.sar!jboss-net.war Since that is not very modular and since you would normally correctly shield your underlying J2EE logic, we decided to let the transport level open at this point. Instead, we included a (simple) per-web-service way of authentication and authorization through dedicated Axis interceptors (JBossAuthenticationHandler and JBossAuthorizationHandler, respectively). These interceptors should be put into the transport chain of your web service (I guess that the xdoclet module will do that automatically for you). They are paramterized, e.g., against a preconfigured JBoss security domain using SimplePrincipal. JBossAuthenticationHandler will authenticate the incoming call versus the assocoiated domain with the basic authentication info that comes through the http call (null Principal in case of no authentication info). With that security association the call will go further into the EJB layer of your application. Optionally, you can do additional security checks using JBossAuthorizationHandler that will simply implement an allowed/denied behaviour depending on the associated principals. I can only refer to the jboss.net testsuite in which there is a whole chapter dedicated to that issue. CGJ -Ursprüngliche Nachricht- Von: Neal Sanche [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 26. Februar 2003 00:45 An: [EMAIL PROTECTED] Betreff: [JBoss-user] Confused about Web Service Security... Hi All, Now that I have a simple web service running with JBoss.NET I'm now trying to enable access to a web service method that's secured by principals and roles within my EJB application. I'm completely confused about how to accomplish this on JBoss. Do I need to set up a security-constraint in my web.xml for this? So far, nothing that I've tried has sent a username and password from my client application to my web service. If anyone is doing this, please let me know how it's done. I'll post the findings up on my website as a future reference. -Neal --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user ### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.F-Secure.com/ --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: AW: [JBoss-user] Confused about Web Service Security...
Thanks Dr. Jung, It's really nice when things actually work as advertised. The problem that I was having was not with the XDoclet descriptors, or with any part of my build pipeline, it was actually the client that I was attempting to access the web service with. I first tried a simple Microsoft .NET client, and when I added tcpmon into the mix, I found it was not sending any basic auth information. So of course it was getting denied access. So, this morning I used the wsdl2java tool that comes with AXIS to generate the classes for the wsdl interface, and then I wrote a little bit of code, something like the following, based off the output to access the web service: public static void main(String[] args) { try { TestSessionLocalServiceLocator locator = new TestSessionLocalServiceLocator(); TestSessionLocal ts = locator.getLIMS(); LIMSSoapBindingStub stub = (LIMSSoapBindingStub)ts; stub.setUsername(admin); stub.setPassword(admin); System.err.println(ts.hello(Testing)); ts.testThisThing(); } catch (Throwable ex) { ex.printStackTrace(); } } And when I watched this through tcpmon I was able to clearly see that the basic-auth information was being sent, and my method call found its way down into the EJB session. Very nice. I even tried experimenting with changing the authentication XDoclet tags and found that really what you've done is added another layer of security for web services such that unauthorized users will be bounced even before the EJB layer is called if their role doesn't match. I guess I'll make some updates to the information on http://www.nsdev.org/jboss to get the security information straight there. Thanks for your help. -Neal On Wednesday 26 February 2003 04:56 am, Jung , Dr. Christoph wrote: Hi Neal, since Axis http-transport is realised through a single servlet, every security constraint that you would like specify at the transport level must go into the global web-application.xml that comes with the jboss-net.sar!jboss-net.war Since that is not very modular and since you would normally correctly shield your underlying J2EE logic, we decided to let the transport level open at this point. Instead, we included a (simple) per-web-service way of authentication and authorization through dedicated Axis interceptors (JBossAuthenticationHandler and JBossAuthorizationHandler, respectively). These interceptors should be put into the transport chain of your web service (I guess that the xdoclet module will do that automatically for you). They are paramterized, e.g., against a preconfigured JBoss security domain using SimplePrincipal. JBossAuthenticationHandler will authenticate the incoming call versus the assocoiated domain with the basic authentication info that comes through the http call (null Principal in case of no authentication info). With that security association the call will go further into the EJB layer of your application. Optionally, you can do additional security checks using JBossAuthorizationHandler that will simply implement an allowed/denied behaviour depending on the associated principals. I can only refer to the jboss.net testsuite in which there is a whole chapter dedicated to that issue. CGJ -Ursprüngliche Nachricht- Von: Neal Sanche [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 26. Februar 2003 00:45 An: [EMAIL PROTECTED] Betreff: [JBoss-user] Confused about Web Service Security... Hi All, Now that I have a simple web service running with JBoss.NET I'm now trying to enable access to a web service method that's secured by principals and roles within my EJB application. I'm completely confused about how to accomplish this on JBoss. Do I need to set up a security-constraint in my web.xml for this? So far, nothing that I've tried has sent a username and password from my client application to my web service. If anyone is doing this, please let me know how it's done. I'll post the findings up on my website as a future reference. -Neal --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user ### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.F-Secure.com/ --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists
[JBoss-user] Confused about Web Service Security...
Hi All, Now that I have a simple web service running with JBoss.NET I'm now trying to enable access to a web service method that's secured by principals and roles within my EJB application. I'm completely confused about how to accomplish this on JBoss. Do I need to set up a security-constraint in my web.xml for this? So far, nothing that I've tried has sent a username and password from my client application to my web service. If anyone is doing this, please let me know how it's done. I'll post the findings up on my website as a future reference. -Neal --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user