Hi guys, I have a question about the WS Security.
Our webservice should use PasswordText and PasswordDigest as passwordType. I found this example which seems to work: https://github.com/apache/tomee/tree/tomee-8.x/examples/webservice-ws-security Unfortunately our API has a role declared like this which should come from a LoginProvider org.apache.openejb.core.security.jaas.LoginProvider @RolesAllowed(value = {"Administrator"}) public void getList(Boolean include, Holder<List<Object>> list, Holder<Message> message) { org.apache.cxf.interceptor.Fault: Unauthorized Access by Principal Denied while invoking public abstract void com.company.webservice.WSWebservice.getList(java.lang.Boolean,javax.xml.ws.Holder,javax.xml.ws.Holder) with params [false, javax.xml.ws.Holder@a74aaa4, javax.xml.ws.Holder@32df15d0]. The code invokes immediately the method. There is no passwordhandler anymore and no LoginProvider invoked. The strange think is, that only with the resource.xml and openejb.xml files it works for only one factory: Either wss4jText or wss4jDigest. resources.xml <Service id="wss4jText" class-name="org.apache.openejb.server.cxf.config.WSS4JInInterceptorFactory" factory-name="create"> action = UsernameToken passwordType = PasswordText passwordCallbackClass = passwordCallbackClass = com.company.PasswordHandler </Service> <Service id="wss4jDigest" class-name="org.apache.openejb.server.cxf.config.WSS4JInInterceptorFactory" factory-name="create"> action = UsernameToken passwordType = PasswordDigest passwordCallbackClass = com.company.PasswordHandler </Service> openejb-jar.xml <ejb-deployment ejb-name="WSWebservice"> <properties> cxf.jaxws.in-interceptors = wss4jText,someInterceptors cxf.jaxws.features = addressingFeature cxf.jaxws.out-fault-interceptors = faultInterceptor </properties> </ejb-deployment> But since I try to get it to run with both, I run in the exception metioned above. Here some parts from the ejb-jar.xml <session> <ejb-name>WsServiceUsernameTokenPlainPassword</ejb-name> <service-endpoint>com.company.webservice.WSWebservice</service-endpoint> <ejb-class>com.company.webservice.class.WSWebservice</ejb-class> <session-type>Stateless</session-type> <transaction-type>Container</transaction-type> </session> webservice.xml <webservice-description-name>WSWebservice</webservice-description-name> <port-component> <port-component-name>WsServiceUsernameTokenPlainPassword</port-component-name> <wsdl-port>WsServiceUsernameTokenPlainPassword</wsdl-port> <service-endpoint-interface>com.company.webservice.WSWebservice</service-endpoint-interface> <service-impl-bean> <ejb-link>WsServiceUsernameTokenPlainPassword</ejb-link> </service-impl-bean> </port-component> The login.conf stuff is done, the server.xml stuff should be done, only the web.xml seem https://github.com/apache/tomee/tree/main/examples/rest-jaas/src/main https://github.com/apache/tomee/blob/main/examples/rest-jaas/src/main/webapp/WEB-INF/web.xml At the moment I have no clue, why I stuck. Does anybody have an idea? Thanks, Markus
