AW: AW: [JBoss-user] Confused about Web Service Security...
Hi,
I am trying to get basic auth to work. I am at the point where got my
Java cleint passing the Authorization: Basic details and JBoss throwing back
an error:
AxisFault
faultCode: {http://xml.apache.org/axis/}Server.userException
faultString: javax.ejb.EJBException: checkSecurityAssociation;
CausedByException is:
Authentication exception, principal=null faultActor: null
faultDetail:
stackTrace: javax.ejb.EJBException: checkSecurityAssociation;
CausedByException is:
Authentication exception, principal=null
I have my deployment descriptor generated by XDoclet and use a custom jaas
module which I am trying to use both for Web Services and EJB.
I changed the jboss-net.sar\jboss-net.war\WEB-INF\jboss-web.xml and the
jboss-net.sar\axis-config.xml to use my module. (What is the role of each
one?)
The deployment file is:
?xml version=1.0 encoding=UTF-8?
!-- --
!-- This JBoss.Net Web Service Descriptor has been generated by
Doclet --
!-- and brought to you by F. M. Brier, C. G. Jung and J.
ton --
!-- --
deployment
name=Test
xmlns=http://xml.apache.org/axis/wsdd/;
targetNamespace=http://net.jboss.org/Test;
xmlns:test=http://net.jboss.org/Test;
xmlns:java=http://xml.apache.org/axis/wsdd/providers/java;
!-- The following are declarations of service endpoints targetted to
session beans --
service name=Test provider=Handler
parameter name=handlerClass
value=org.jboss.net.axis.server.EJBProvider/
parameter name=beanJndiName
value=EJB/Session/TestEJB/Session/Local/Test/
parameter name=allowedMethods value=hello /
requestFlow name=TestRequest
handler
type=java:org.jboss.net.axis.server.TransactionRequestHandler/
/requestFlow
responseFlow name=TestResponse
handler
type=java:org.jboss.net.axis.server.SerialisationResponseHandler/
handler
type=java:org.jboss.net.axis.server.TransactionResponseHandler/
/responseFlow
/service
!-- The following are typemappings for entity beans for implementing
the implicit web-service value-object pattern --
!-- The following are typemappings for bean-type value-objects --
/deployment
Thank you!!!
Simone
---
This SF.net email is sponsored by: Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
___
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
AW: AW: [JBoss-user] Confused about Web Service Security...
Hi,
I managed to do it, thank you anyway :)
Simone
Hi,
I am trying to get basic auth to work. I am at the point where got my
Java cleint passing the Authorization: Basic details and JBoss throwing
back
an error:
AxisFault
faultCode: {http://xml.apache.org/axis/}Server.userException
faultString: javax.ejb.EJBException: checkSecurityAssociation;
CausedByException is:
Authentication exception, principal=null faultActor: null
faultDetail:
stackTrace: javax.ejb.EJBException: checkSecurityAssociation;
CausedByException is:
Authentication exception, principal=null
I have my deployment descriptor generated by XDoclet and use a custom jaas
module which I am trying to use both for Web Services and EJB.
I changed the jboss-net.sar\jboss-net.war\WEB-INF\jboss-web.xml and the
jboss-net.sar\axis-config.xml to use my module. (What is the role of each
one?)
The deployment file is:
?xml version=1.0 encoding=UTF-8?
!-- --
!-- This JBoss.Net Web Service Descriptor has been generated by
Doclet --
!-- and brought to you by F. M. Brier, C. G. Jung and J.
ton --
!-- --
deployment
name=Test
xmlns=http://xml.apache.org/axis/wsdd/;
targetNamespace=http://net.jboss.org/Test;
xmlns:test=http://net.jboss.org/Test;
xmlns:java=http://xml.apache.org/axis/wsdd/providers/java;
!-- The following are declarations of service endpoints targetted to
session beans --
service name=Test provider=Handler
parameter name=handlerClass
value=org.jboss.net.axis.server.EJBProvider/
parameter name=beanJndiName
value=EJB/Session/TestEJB/Session/Local/Test/
parameter name=allowedMethods value=hello /
requestFlow name=TestRequest
handler
type=java:org.jboss.net.axis.server.TransactionRequestHandler/
/requestFlow
responseFlow name=TestResponse
handler
type=java:org.jboss.net.axis.server.SerialisationResponseHandler/
handler
type=java:org.jboss.net.axis.server.TransactionResponseHandler/
/responseFlow
/service
!-- The following are typemappings for entity beans for implementing
the implicit web-service value-object pattern --
!-- The following are typemappings for bean-type value-objects --
/deployment
Thank you!!!
Simone
---
This SF.net email is sponsored by: Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
___
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
---
This SF.net email is sponsored by: Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
___
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
AW: AW: [JBoss-user] Confused about Web Service Security...
Thanks for the feedback. You make my day.
It would be interesting to know how to get basic-authentication to work from
..Net - if you get it to run, please tell us!
CGJ
-Ursprüngliche Nachricht-
Von: Neal Sanche [mailto:[EMAIL PROTECTED]
Gesendet: Mittwoch, 26. Februar 2003 17:57
An: [EMAIL PROTECTED]
Betreff: Re: AW: [JBoss-user] Confused about Web Service Security...
Thanks Dr. Jung,
It's really nice when things actually work as advertised. The problem
that I was having was not with the XDoclet descriptors, or with any
part of my build pipeline, it was actually the client that I was
attempting to access the web service with. I first tried a simple
Microsoft .NET client, and when I added tcpmon into the mix, I found
it was not sending any basic auth information. So of course it was
getting denied access.
So, this morning I used the wsdl2java tool that comes with AXIS to
generate the classes for the wsdl interface, and then I wrote a
little bit of code, something like the following, based off the
output to access the web service:
public static void main(String[] args) {
try {
TestSessionLocalServiceLocator locator = new
TestSessionLocalServiceLocator();
TestSessionLocal ts = locator.getLIMS();
LIMSSoapBindingStub stub = (LIMSSoapBindingStub)ts;
stub.setUsername(admin);
stub.setPassword(admin);
System.err.println(ts.hello(Testing));
ts.testThisThing();
} catch (Throwable ex) {
ex.printStackTrace();
}
}
And when I watched this through tcpmon I was able to clearly see that
the basic-auth information was being sent, and my method call found
its way down into the EJB session. Very nice.
I even tried experimenting with changing the authentication XDoclet
tags and found that really what you've done is added another layer of
security for web services such that unauthorized users will be
bounced even before the EJB layer is called if their role doesn't
match.
I guess I'll make some updates to the information on
http://www.nsdev.org/jboss to get the security information straight
there. Thanks for your help.
-Neal
On Wednesday 26 February 2003 04:56 am, Jung , Dr. Christoph wrote:
Hi Neal,
since Axis http-transport is realised through a single servlet, every
security constraint that you would like specify at the transport level
must go into the global web-application.xml that comes with the
jboss-net.sar!jboss-net.war
Since that is not very modular and since you would normally correctly
shield your underlying J2EE logic, we decided to let the transport
level open at this point.
Instead, we included a (simple) per-web-service way of authentication
and authorization through dedicated Axis interceptors
(JBossAuthenticationHandler and JBossAuthorizationHandler,
respectively).
These interceptors should be put into the transport chain of your web
service (I guess that the xdoclet module will do that automatically
for you). They are paramterized, e.g., against a preconfigured JBoss
security domain using SimplePrincipal.
JBossAuthenticationHandler will authenticate the incoming call versus
the assocoiated domain with the basic authentication info that comes
through the http call (null Principal in case of no authentication
info). With that security association the call will go further into
the EJB layer of your application.
Optionally, you can do additional security checks using
JBossAuthorizationHandler that will simply implement an allowed/denied
behaviour depending on the associated principals.
I can only refer to the jboss.net testsuite in which there is a whole
chapter dedicated to that issue.
CGJ
-Ursprüngliche Nachricht-
Von: Neal Sanche [mailto:[EMAIL PROTECTED]
Gesendet: Mittwoch, 26. Februar 2003 00:45
An: [EMAIL PROTECTED]
Betreff: [JBoss-user] Confused about Web Service Security...
Hi All,
Now that I have a simple web service running with JBoss.NET I'm now
trying to enable access to a web service method that's secured by
principals and roles within my EJB application. I'm completely
confused about how to accomplish this on JBoss. Do I need to set up a
security-constraint in my web.xml for this? So far, nothing that I've
tried has sent a username and password from my client application to
my web service. If anyone is doing this, please let me know how it's
done. I'll post the findings up on my website as a future reference.
-Neal
---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___ JBoss-user mailing
list [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
###
This message has been scanned by F-Secure Anti-Virus for Microsoft
Exchange. For more information, connect to http://www.F-Secure.com
AW: [JBoss-user] Confused about Web Service Security...
Hi Neal, since Axis http-transport is realised through a single servlet, every security constraint that you would like specify at the transport level must go into the global web-application.xml that comes with the jboss-net.sar!jboss-net.war Since that is not very modular and since you would normally correctly shield your underlying J2EE logic, we decided to let the transport level open at this point. Instead, we included a (simple) per-web-service way of authentication and authorization through dedicated Axis interceptors (JBossAuthenticationHandler and JBossAuthorizationHandler, respectively). These interceptors should be put into the transport chain of your web service (I guess that the xdoclet module will do that automatically for you). They are paramterized, e.g., against a preconfigured JBoss security domain using SimplePrincipal. JBossAuthenticationHandler will authenticate the incoming call versus the assocoiated domain with the basic authentication info that comes through the http call (null Principal in case of no authentication info). With that security association the call will go further into the EJB layer of your application. Optionally, you can do additional security checks using JBossAuthorizationHandler that will simply implement an allowed/denied behaviour depending on the associated principals. I can only refer to the jboss.net testsuite in which there is a whole chapter dedicated to that issue. CGJ -Ursprüngliche Nachricht- Von: Neal Sanche [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 26. Februar 2003 00:45 An: [EMAIL PROTECTED] Betreff: [JBoss-user] Confused about Web Service Security... Hi All, Now that I have a simple web service running with JBoss.NET I'm now trying to enable access to a web service method that's secured by principals and roles within my EJB application. I'm completely confused about how to accomplish this on JBoss. Do I need to set up a security-constraint in my web.xml for this? So far, nothing that I've tried has sent a username and password from my client application to my web service. If anyone is doing this, please let me know how it's done. I'll post the findings up on my website as a future reference. -Neal --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user ### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.F-Secure.com/ --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: AW: [JBoss-user] Confused about Web Service Security...
Thanks Dr. Jung,
It's really nice when things actually work as advertised. The problem
that I was having was not with the XDoclet descriptors, or with any
part of my build pipeline, it was actually the client that I was
attempting to access the web service with. I first tried a simple
Microsoft .NET client, and when I added tcpmon into the mix, I found
it was not sending any basic auth information. So of course it was
getting denied access.
So, this morning I used the wsdl2java tool that comes with AXIS to
generate the classes for the wsdl interface, and then I wrote a
little bit of code, something like the following, based off the
output to access the web service:
public static void main(String[] args) {
try {
TestSessionLocalServiceLocator locator = new
TestSessionLocalServiceLocator();
TestSessionLocal ts = locator.getLIMS();
LIMSSoapBindingStub stub = (LIMSSoapBindingStub)ts;
stub.setUsername(admin);
stub.setPassword(admin);
System.err.println(ts.hello(Testing));
ts.testThisThing();
} catch (Throwable ex) {
ex.printStackTrace();
}
}
And when I watched this through tcpmon I was able to clearly see that
the basic-auth information was being sent, and my method call found
its way down into the EJB session. Very nice.
I even tried experimenting with changing the authentication XDoclet
tags and found that really what you've done is added another layer of
security for web services such that unauthorized users will be
bounced even before the EJB layer is called if their role doesn't
match.
I guess I'll make some updates to the information on
http://www.nsdev.org/jboss to get the security information straight
there. Thanks for your help.
-Neal
On Wednesday 26 February 2003 04:56 am, Jung , Dr. Christoph wrote:
Hi Neal,
since Axis http-transport is realised through a single servlet,
every security constraint that
you would like specify at the transport level must go into the
global web-application.xml that comes with the
jboss-net.sar!jboss-net.war
Since that is not very modular and since you would normally
correctly shield your underlying J2EE logic, we decided to let the
transport level open at this point.
Instead, we included a (simple) per-web-service way of
authentication and authorization through dedicated Axis
interceptors
(JBossAuthenticationHandler and JBossAuthorizationHandler,
respectively).
These interceptors should be put into the transport chain of your
web service (I guess that the xdoclet module will do that
automatically for you). They are paramterized, e.g., against a
preconfigured JBoss security domain using SimplePrincipal.
JBossAuthenticationHandler will authenticate the incoming call
versus the assocoiated domain with the basic authentication info
that comes through the http call (null Principal in case of no
authentication info). With that security association the call will
go further into the EJB layer of your application.
Optionally, you can do additional security checks using
JBossAuthorizationHandler that will simply implement an
allowed/denied behaviour depending on the associated principals.
I can only refer to the jboss.net testsuite in which there is a
whole chapter dedicated to that issue.
CGJ
-Ursprüngliche Nachricht-
Von: Neal Sanche [mailto:[EMAIL PROTECTED]
Gesendet: Mittwoch, 26. Februar 2003 00:45
An: [EMAIL PROTECTED]
Betreff: [JBoss-user] Confused about Web Service Security...
Hi All,
Now that I have a simple web service running with JBoss.NET I'm now
trying to enable access to a web service method that's secured by
principals and roles within my EJB application. I'm completely
confused about how to accomplish this on JBoss. Do I need to set up
a security-constraint in my web.xml for this? So far, nothing that
I've tried has sent a username and password from my client
application to my web service. If anyone is doing this, please let
me know how it's done. I'll post the findings up on my website as a
future reference.
-Neal
---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___ JBoss-user mailing
list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
###
This message has been scanned by F-Secure Anti-Virus for Microsoft
Exchange. For more information, connect to http://www.F-Secure.com/
---
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive
scholarships. Get hands-on training in Microsoft, Cisco, Sun,
Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp
___
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists
[JBoss-user] Confused about Web Service Security...
Hi All, Now that I have a simple web service running with JBoss.NET I'm now trying to enable access to a web service method that's secured by principals and roles within my EJB application. I'm completely confused about how to accomplish this on JBoss. Do I need to set up a security-constraint in my web.xml for this? So far, nothing that I've tried has sent a username and password from my client application to my web service. If anyone is doing this, please let me know how it's done. I'll post the findings up on my website as a future reference. -Neal --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
