users@glassfish.java.net

Re: EJB web service security question

From: Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
Date: Wed, 03 Feb 2010 13:00:26 +0530

Vincent Deschênes wrote:
> A user is not a role.
> You need to have a user which is granted the role "test".
>
> Also, you should look at using usernameToken security instead of basic http authentication.
>
You do not need UsernameToken Security, even BASIC Auth should be fine.

regards,
kumar

> To do so you need to remove the login-config from your sun-ejb-jar.xml file and create a wsit file in META-INF directory.
> The name of the wsit file is important, it is wsit-package.name.class.name.xml
>
> Here is a sample wsit file for an ejb called FepInterfaceService.
>
> wsit-com.stelvio.ejb.FepInterfaceService.xml
>
> <?xml version="1.0" encoding="UTF-8"?>
> <definitions
> xmlns="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
> name="FepInterfaceService"
> targetNamespace="http://FepInterfaceService/"
> xmlns:tns="http://FepInterfaceService/"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsaws="http://www.w3.org/2005/08/addressing"
> xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
> >
>
> <portType name="FepInterfaceService">
> <operation name="operation">
> <input message="tns:operation"/>
> <output message="tns:operationResponse"/>
> </operation>
> </portType>
>
>
> <binding name="FepInterfaceServicePortBinding" type="tns:FepInterfaceService">
> <wsp:PolicyReference URI="#FepInterfaceServiceService_Policy"/>
> </binding>
> <service name="FepInterfaceServiceService">
> <port name="FepInterfaceServicePort" binding="tns:FepInterfaceServicePortBinding"/>
> </service>
> <wsp:Policy wsu:Id="FepInterfaceServiceService_Policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssUsernameToken10/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> </definitions>
>
>
> When using usernameToken security with soapUI right click on your request to "add WSS Username Token".
>
> But your problem seams to only be that your user is not granted the "test" role.
>
> VD
>
> -----Original Message-----
> From: Jitendra.Kotamraju_at_Sun.COM [mailto:Jitendra.Kotamraju_at_Sun.COM]
> Sent: Tuesday, February 02, 2010 8:31 PM
> To: users_at_glassfish.dev.java.net
> Subject: Re: EJB web service security question
>
> glassfish_at_javadesktop.org wrote:
>
>> Hello all,
>> I have a EJB 3.1 web service deployed in glassfish 3. I am trying to apply security to this service.
>>
>> These are the steps I took so far:
>> - added @DeclareRoles and @RolesAllowed annotations to my web service
>>
>> -------------------
>> @Stateless
>> @WebService(endpointInterface="TestService")
>> @Local(TestService.class)
>> @DeclareRoles({"test"})
>> @RolesAllowed("test")
>> public class TestServiceImpl implements TestService{
>> -------------------
>>
>> - added the user "test" in Glassfish security under the file realm
>> - enabled SecurityManager and DefaultPrincipalToRoleMapping in glassfish
>> - added the following in sun-ejb-jar.xml
>> ----------------------
>> <enterprise-beans>
>> <ejb>
>> <ejb-name>TestServiceImpl</ejb-name>
>> <webservice-endpoint>
>> <port-component-name>TestServiceImpl</port-component-name>
>> <login-config>
>> <auth-method>BASIC</auth-method>
>> <realm>default</realm>
>> </login-config>
>> </webservice-endpoint>
>> </ejb></enterprise-beans>
>> ------------------
>>
>>
>> When accessing the web service methods, either through the webservice tester or through another application (I am using SoapUI), I
>>
> receive a soap error message instead of an "expected" login form.
>
>> <faultcode>S:Server</faultcode>
>> <faultstring>java.lang.Exception: Client not authorized for invocation of public java.util.List
>>
> test.TestServiceImpl.getAllBrands()</faultstring>
>
>> ...
>>
>>
> May be the server is not returning the correct HTTP status code. What's
> the HTTP status code ?
> Also, if the correct Basic auth header is sent, is the EJB method invoked ?
>
> Jitu
>
>> Can anybody help me understand why this happens, and what I can do about it?
>>
>>
>> Thanks in advance.
>> [Message sent by forum member 'stefancatalin' (catalin.stefan_at_yahoo.com)]
>>
>> http://forums.java.net/jive/thread.jspa?messageID=384224
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>