users@glassfish.java.net

Re: EJB web service security question

From: Jitendra Kotamraju <Jitendra.Kotamraju_at_Sun.COM>
Date: Tue, 02 Feb 2010 17:30:57 -0800

glassfish_at_javadesktop.org wrote:
> Hello all,
> I have a EJB 3.1 web service deployed in glassfish 3. I am trying to apply security to this service.
>
> These are the steps I took so far:
> - added @DeclareRoles and @RolesAllowed annotations to my web service
>
> -------------------
> @Stateless
> @WebService(endpointInterface="TestService")
> @Local(TestService.class)
> @DeclareRoles({"test"})
> @RolesAllowed("test")
> public class TestServiceImpl implements TestService{
> -------------------
>
> - added the user "test" in Glassfish security under the file realm
> - enabled SecurityManager and DefaultPrincipalToRoleMapping in glassfish
> - added the following in sun-ejb-jar.xml
> ----------------------
> <enterprise-beans>
> <ejb>
> <ejb-name>TestServiceImpl</ejb-name>
> <webservice-endpoint>
> <port-component-name>TestServiceImpl</port-component-name>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm>default</realm>
> </login-config>
> </webservice-endpoint>
> </ejb></enterprise-beans>
> ------------------
>
>
> When accessing the web service methods, either through the webservice tester or through another application (I am using SoapUI), I receive a soap error message instead of an "expected" login form.
>
> <faultcode>S:Server</faultcode>
> <faultstring>java.lang.Exception: Client not authorized for invocation of public java.util.List test.TestServiceImpl.getAllBrands()</faultstring>
> ...
>
May be the server is not returning the correct HTTP status code. What's
the HTTP status code ?
Also, if the correct Basic auth header is sent, is the EJB method invoked ?

Jitu
>
> Can anybody help me understand why this happens, and what I can do about it?
>
>
> Thanks in advance.
> [Message sent by forum member 'stefancatalin' (catalin.stefan_at_yahoo.com)]
>
> http://forums.java.net/jive/thread.jspa?messageID=384224
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.