users@glassfish.java.net

RE: EJB web service security question

From: Vincent Deschênes <vdeschenes_at_stelvio.com>
Date: Tue, 2 Feb 2010 21:34:03 -0500

A user is not a role.
You need to have a user which is granted the role "test".

Also, you should look at using usernameToken security instead of basic http authentication.

To do so you need to remove the login-config from your sun-ejb-jar.xml file and create a wsit file in META-INF directory.
The name of the wsit file is important, it is wsit-package.name.class.name.xml

Here is a sample wsit file for an ejb called FepInterfaceService.

wsit-com.stelvio.ejb.FepInterfaceService.xml

<?xml version="1.0" encoding="UTF-8"?>
 <definitions
 xmlns="http://schemas.xmlsoap.org/wsdl/"
 xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
 xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
 name="FepInterfaceService"
 targetNamespace="http://FepInterfaceService/"
 xmlns:tns="http://FepInterfaceService/"
 xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
 xmlns:wsaws="http://www.w3.org/2005/08/addressing"
 xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
>

    <portType name="FepInterfaceService">
        <operation name="operation">
            <input message="tns:operation"/>
            <output message="tns:operationResponse"/>
        </operation>
    </portType>


    <binding name="FepInterfaceServicePortBinding" type="tns:FepInterfaceService">
        <wsp:PolicyReference URI="#FepInterfaceServiceService_Policy"/>
    </binding>
    <service name="FepInterfaceServiceService">
        <port name="FepInterfaceServicePort" binding="tns:FepInterfaceServicePortBinding"/>
    </service>
    <wsp:Policy wsu:Id="FepInterfaceServiceService_Policy">
          <wsp:ExactlyOne>
            <wsp:All>
                <sp:SupportingTokens>
                    <wsp:Policy>
                        <sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                            <wsp:Policy>
                                <sp:WssUsernameToken10/>
                            </wsp:Policy>
                        </sp:UsernameToken>
                    </wsp:Policy>
                </sp:SupportingTokens>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>
 </definitions>


When using usernameToken security with soapUI right click on your request to "add WSS Username Token".

But your problem seams to only be that your user is not granted the "test" role.

VD

-----Original Message-----
From: Jitendra.Kotamraju_at_Sun.COM [mailto:Jitendra.Kotamraju_at_Sun.COM]
Sent: Tuesday, February 02, 2010 8:31 PM
To: users_at_glassfish.dev.java.net
Subject: Re: EJB web service security question

glassfish_at_javadesktop.org wrote:
> Hello all,
> I have a EJB 3.1 web service deployed in glassfish 3. I am trying to apply security to this service.
>
> These are the steps I took so far:
> - added @DeclareRoles and @RolesAllowed annotations to my web service
>
> -------------------
> @Stateless
> @WebService(endpointInterface="TestService")
> @Local(TestService.class)
> @DeclareRoles({"test"})
> @RolesAllowed("test")
> public class TestServiceImpl implements TestService{
> -------------------
>
> - added the user "test" in Glassfish security under the file realm
> - enabled SecurityManager and DefaultPrincipalToRoleMapping in glassfish
> - added the following in sun-ejb-jar.xml
> ----------------------
> <enterprise-beans>
> <ejb>
> <ejb-name>TestServiceImpl</ejb-name>
> <webservice-endpoint>
> <port-component-name>TestServiceImpl</port-component-name>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm>default</realm>
> </login-config>
> </webservice-endpoint>
> </ejb></enterprise-beans>
> ------------------
>
>
> When accessing the web service methods, either through the webservice tester or through another application (I am using SoapUI), I
receive a soap error message instead of an "expected" login form.
>
> <faultcode>S:Server</faultcode>
> <faultstring>java.lang.Exception: Client not authorized for invocation of public java.util.List
test.TestServiceImpl.getAllBrands()</faultstring>
> ...
>
May be the server is not returning the correct HTTP status code. What's
the HTTP status code ?
Also, if the correct Basic auth header is sent, is the EJB method invoked ?

Jitu
>
> Can anybody help me understand why this happens, and what I can do about it?
>
>
> Thanks in advance.
> [Message sent by forum member 'stefancatalin' (catalin.stefan_at_yahoo.com)]
>
> http://forums.java.net/jive/thread.jspa?messageID=384224
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
For additional commands, e-mail: users-help_at_glassfish.dev.java.net