users@glassfish.java.net

Re: JAX-RPC servlet endpoint with HTTP basic auth & SSL

From: Ryan de Laplante <ryan_at_ijws.com>
Date: Mon, 12 May 2008 23:05:23 -0400

With the settings displayed below (and no GET configured), I tried
calling it from my service client app. The client looks like this:

MyServiceSEI endpoint = getMyServiceSEIPort();
Stub stub = (Stub) endpoint;
stub._setProperty(Stub.USERNAME_PROPERTY, "johndoe");
stub._setProperty(Stub.PASSWORD_PROPERTY, "glassfish");
endpoint.searchFolios(criteria);

The server records error shown below, and client is told "Forbidden".
Notice it is http instead of https, port 8080 instead of 8443 (the https
listener).

DPL5306:Servlet Web Service Endpoint [MyService] listening at address
[http://ryco-ws2:8080/MyService/MyService]
JACC Policy Provider: PolicyWrapper.implies,
context(MyService/MyService)-
permission((javax.security.jacc.WebUserDataPermission /MyService POST))
domain that failed(ProtectionDomain (file:/MyService/MyService <no
signer certificates>)
 null
 <no principals>
 java.security.Permissions_at_1bebe0f (
 (unresolved javax.security.jacc.WebUserDataPermission /*
!DELETE,HEAD,OPTIONS,POST,PUT,TRACE)
 (unresolved javax.security.jacc.WebUserDataPermission /*
DELETE,HEAD,OPTIONS,POST,PUT,TRACE:CONFIDENTIAL)
 (unresolved
com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access null)
 (unresolved javax.security.jacc.WebResourcePermission /*
!DELETE,HEAD,OPTIONS,POST,PUT,TRACE)
 (unresolved com.sun.enterprise.security.CORBAObjectPermission * *)
 (javax.management.MBeanPermission [com.sun.messaging.jms.*:*] *)
 (java.util.PropertyPermission line.separator read)
 (java.util.PropertyPermission java.vm.version read)
 (java.util.PropertyPermission java.vm.specification.version read)
 (java.util.PropertyPermission java.vm.specification.vendor read)
 (java.util.PropertyPermission java.vendor.url read)
 (java.util.PropertyPermission java.vm.name read)
 (java.util.PropertyPermission * read,write)
 (java.util.PropertyPermission os.name read)
 (java.util.PropertyPermission java.vm.vendor read)
 (java.util.PropertyPermission path.separator read)
 (java.util.PropertyPermission java.specification.name read)
 (java.util.PropertyPermission os.version read)
 (java.util.PropertyPermission os.arch read)
 (java.util.PropertyPermission java.class.version read)
 (java.util.PropertyPermission java.version read)
 (java.util.PropertyPermission file.separator read)
 (java.util.PropertyPermission java.vendor read)
 (java.util.PropertyPermission java.vm.specification.name read)
 (java.util.PropertyPermission java.specification.version read)
 (java.util.PropertyPermission java.specification.vendor read)
 (javax.security.auth.PrivateCredentialPermission
javax.resource.spi.security.PasswordCredential * "*" read)
 (java.net.SocketPermission localhost:1024- listen,resolve)
 (java.net.SocketPermission * connect,resolve)
 (javax.management.MBeanTrustPermission register)
 (java.lang.RuntimePermission getClassLoader)
 (java.lang.RuntimePermission loadLibrary.*)
 (java.lang.RuntimePermission accessDeclaredMembers)
 (java.lang.RuntimePermission getProtectionDomain)
 (java.lang.RuntimePermission modifyThreadGroup)
 (java.lang.RuntimePermission stopThread)
 (java.lang.RuntimePermission setContextClassLoader)
 (java.lang.RuntimePermission queuePrintJob)
 (java.io.FilePermission C:\Users\ryan\AppData\Local\Temp\\- delete)
 (java.io.FilePermission D:/Program
Files/Sun/AppServer91UR2/domains/domain1\lib\databases\- delete)
 (java.io.FilePermission <<ALL FILES>> read,write)
)
)


Thanks,
Ryan


Ryan de Laplante wrote:
> Hi,
>
> I've created a J2EE 1.4 project with a JAX-RPC web service for a
> customer who can only communicate with JAX-RPC. I need to secure it
> with HTTPS/SSL, and basic authentication.
> I've already got JAX-WS services secured with HTTP BASIC
> authentication and SSL using information on this page:
>
> http://www.ryandelaplante.com/rdelaplante/entry/ssl_and_http_basic_authentication
>
>
> When I add the following to my web.xml then request the WSDL using
> https, the soap:address at the bottom of WSDL says to use http://
> instead of https:// What am I missing??
>
> <security-constraint>
> <display-name>SSL Constraint</display-name>
> <web-resource-collection>
> <web-resource-name>WSServlet_MyService</web-resource-name>
> <url-pattern>/*</url-pattern>
> <http-method>PUT</http-method>
> <http-method>HEAD</http-method>
> <http-method>POST</http-method>
> <http-method>OPTIONS</http-method>
> <http-method>TRACE</http-method>
> <http-method>DELETE</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>IJWAPPS</role-name>
> </auth-constraint>
> <user-data-constraint>
> <description/>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>centralData</realm-name>
> </login-config>
> <security-role>
> <role-name>IJWAPPS</role-name>
> </security-role>
>
> I left GET out because when securing JAX-WS services, the
> @WebServiceRef would fail because it seems to try to get the real
> WSDL! Removing GET solved the problem. When I put GET in with my
> JAX-RPC service then try to access the WSDL with my browser and https,
> it asks me for a username/password. Once I enter the correct
> information it tells me HTTP 403 access denied! This is the same
> realm/username/password used by my JAX-WS service, so it should work.
>
>
> Thanks,
> Ryan
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>