[jboss-user] [Security] - Problem securing a web service
I'm trying to secure a web service which is an EJB. I'm trying to accomplish this by adding the following jboss.xml in the META-INF folder. ?xml version=1.0? | !DOCTYPE jboss PUBLIC -//JBoss//DTD JBOSS 4.0//EN http://www.jboss.org/j2ee/dtd/jboss_4_2.dtd; | jboss | security-domain / | enterprise-beans | session | ejb-nameMyEJB/ejb-name | configuration-nameMyEJB Web Service Config/configuration-name | /session | /enterprise-beans | | container-configurations | container-configuration | container-nameMyEJB Web Service Config/container-name | security-domainjava:/jaas/mydomain/security-domain | /container-configuration | /container-configurations | /jboss As you can see, this EJB is the only EJB that should be behind a security domain. I tried doing this with the SecurityDomain annotation on my EJB, but it gave me a nullpointer in my Seam application on deployment. Now, this web service is indeed protected by this security domain. So far, so good. But now it seams that the rest of my application is also trying to pass this security domain. What am I forgetting here, or what am I doing wrong? Btw, my EJB is annotated with the following annotations: @Stateless(name=MyEJB) | @WebService(endpointInterface=..., name = ..., targetNamespace = ..., serviceName = ...) | @WebContext(urlPattern = /webservice, authMethod = BASIC, transportGuarantee = NONE, secureWSDLAccess = false) View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4251791#4251791 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4251791 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security] - Re: Basic HTTP authentication for WSDL (using JAAS LoginModu
I've managed to get this thing working in a very small dummy application but this problem is still occuring in my companies application. It's a seam application running on JBoss 4.2.3. Could seam somehow be causing this nullpointer? View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4251096#4251096 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4251096 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security] - Re: Basic HTTP authentication for WSDL (using JAAS LoginModu
Forgot to tell you that this problem only occurs when I use this SecurityDomain annotation. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4251098#4251098 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4251098 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security] - Re: Basic HTTP authentication for WSDL (using JAAS LoginModu
Sorry for spamming in my own post... I'm starting to doubt whether this is possible. Check https://jira.jboss.org/jira/browse/SECURITY-38. If my approach isn't possible, what approach should I go for (considering that only the web service should be behind basic authentication)? View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4251228#4251228 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4251228 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Basic HTTP authentication for WSDL (using JAAS LoginModu
Thanks for your reply Wolfgang. I'm using JBoss 4.2.3. In our seam application, we use the following jboss dependency: | dependency | groupIdorg.jboss.embedded/groupId | artifactIdjboss-embedded/artifactId | versionbeta3/version | typepom/type | /dependency | And yes, we do use the org.jboss.annotation.security package for the SecurityDomain annotation. Any other ideas? View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4250112#4250112 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4250112 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Basic HTTP authentication for WSDL (using JAAS LoginModule)
Hi, I'm trying to use basic HTTP authentication for my WSDL. The user credentials should be validated by a (JAAS) LoginModule for Atlassian Crowd. Somehow the deployment of my EAR file fails. The following stacktrace shows up in my logs: | java.lang.NullPointerException | at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorFactory.createPerClass(RoleBasedAuthorizationInterceptorFactory.java:49) | at org.jboss.aop.advice.AspectFactoryDelegator.createPerClass(AspectFactoryDelegator.java:107) | at org.jboss.aop.Advisor.addPerClassAspect(Advisor.java:569) | at org.jboss.aop.advice.ScopedInterceptorFactory.create(ScopedInterceptorFactory.java:72) | at org.jboss.aop.Advisor.createInterceptorChain(Advisor.java:618) | at org.jboss.aop.Advisor.pointcutResolved(Advisor.java:888) | at org.jboss.aop.Advisor.resolveMethodPointcut(Advisor.java:650) | at org.jboss.aop.ClassContainer.createInterceptorChains(ClassContainer.java:248) | at org.jboss.aop.ClassContainer.rebuildInterceptors(ClassContainer.java:115) | at org.jboss.aop.ClassContainer.initializeClassContainer(ClassContainer.java:58) | at org.jboss.ejb3.EJBContainer.processMetadata(EJBContainer.java:342) | at org.jboss.ejb3.SessionContainer.processMetadata(SessionContainer.java:140) | at org.jboss.ejb3.Ejb3Deployment.processEJBContainerMetadata(Ejb3Deployment.java:292) | at org.jboss.ejb3.Ejb3Deployment.start(Ejb3Deployment.java:356) | at org.jboss.ejb3.Ejb3Module.startService(Ejb3Module.java:91) | at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:289) | at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:245) | at sun.reflect.GeneratedMethodAccessor3.invoke(Unknown Source) | at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) | at java.lang.reflect.Method.invoke(Unknown Source) | at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155) | at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94) | at org.jboss.mx.server.Invocation.invoke(Invocation.java:86) | at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264) | at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659) | at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:978) | at $Proxy0.start(Unknown Source) | Apparantly the RoleBasedAuthorizationInterceptorFactory throws an exception on line 49. When I checked its source, I've found the following code: ctx.lookup(java:/jaas/ + securityAnnotation.value()); Probably, this means that the class doesn't find my SecurityDomain annotation, while it IS present. I've got the following annotations on my web service: | @Stateless | @SecurityDomain(mydomain) | @SOAPBinding(style = SOAPBinding.Style.RPC, use = SOAPBinding.Use.LITERAL) | @WebService(name = ProjectWebService, targetNamespace = url, serviceName = service) | @WebContext(urlPattern = /url, authMethod =BASIC, transportGuarantee =NONE, secureWSDLAccess = false) | @RolesAllowed(admin) | @Remote(clazz.class) | Other things I've done: web.xml: | security-constraint | web-resource-collection | web-resource-namewsdl/web-resource-name | url-pattern/url/url-pattern | /web-resource-collection | auth-constraint | role-nameadmin/role-name | /auth-constraint | /security-constraint | login-config | auth-methodBASIC/auth-method | /login-config | security-role | role-nameadmin/role-name | /security-role | login-config.xml (in the conf folder): | application-policy name=mydomain |authentication | login-module code=com.atlassian.crowd.application.jaas.CrowdLoginModule flag = required |module-option name=application.nameadmin/module-option |module-option name=application.passwordadmin/module-option |module-option name=crowd.server.urlserver//module-option | /login-module |/authentication | /application-policy | This is the code which should be responsible for authenticating the users. What am I doing wrong here? Thanks! View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4249936#4249936 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4249936 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user