users@glassfish.java.net

Re: EJB web service security question

From: <glassfish_at_javadesktop.org>
Date: Wed, 03 Feb 2010 01:35:38 PST

> Jitendra Kotamraju wrote:
> > glassfish_at_javadesktop.org wrote:
> >> Hello all,
> >> I have a EJB 3.1 web service deployed in glassfish
> 3. I am trying to
> >> apply security to this service.
> >>
> >> These are the steps I took so far:
> >> - added @DeclareRoles and @RolesAllowed
> annotations to my web service
> >>
> >> -------------------
> >> @Stateless
> >> @WebService(endpointInterface="TestService")
> >> @Local(TestService.class)
> >> @DeclareRoles({"test"})
> >> @RolesAllowed("test")
> >> public class TestServiceImpl implements
> TestService{
> >> -------------------
> >>
> >> - added the user "test" in Glassfish security
> under the file realm
> You also need to make sure that the user "test"
> belongs to a Group
> "test". Only then the DefaultPrincipalToRoleMapping
> will work. I am
> assuming you are missing this step.
>
> regards,
> kumar
>


Awesome, that solved my problem. I was assuming that in @DeclareRoles and @RolesAllowed, we can have both users and groups.

I added the user test to the group admin, and set @DeclareRoles({"admin"}) @RolesAllowed("admin"), and it worked like a charm.

Thanks to all who answered.



> >> - enabled SecurityManager and
> DefaultPrincipalToRoleMapping in glassfish
> >> - added the following in sun-ejb-jar.xml
> >> ----------------------
> >> <enterprise-beans>
> >> <ejb>
> >> <ejb-name>TestServiceImpl</ejb-name>
> >> <webservice-endpoint>
> >>
>
> port-component-name>TestServiceImpl</port-component-na
> me>
> >> <login-config>
> >> <auth-method>BASIC</auth-method>
> >> <realm>default</realm>
> >> </login-config>
> >> </webservice-endpoint>
> >> </ejb></enterprise-beans>
> >> ------------------
> >>
> >>
> >> When accessing the web service methods, either
> through the webservice
> >> tester or through another application (I am using
> SoapUI), I receive
> >> a soap error message instead of an "expected"
> login form.
> >>
> >> <faultcode>S:Server</faultcode>
> >> <faultstring>java.lang.Exception: Client
> not authorized for
> >> invocation of public java.util.List
> >> test.TestServiceImpl.getAllBrands()</faultstring>
> >> ...
> >>
> > May be the server is not returning the correct HTTP
> status code.
> > What's the HTTP status code ?
> > Also, if the correct Basic auth header is sent, is
> the EJB method
> > invoked ?
> >
> > Jitu
> >>
> >> Can anybody help me understand why this happens,
> and what I can do
> >> about it?
> >>
> >>
> >> Thanks in advance.
> >> [Message sent by forum member 'stefancatalin'
> >> (catalin.stefan_at_yahoo.com)]
> >>
> >>
> http://forums.java.net/jive/thread.jspa?messageID=3842
> 24
> >>
> >>
> ------------------------------------------------------
> ---------------
> >> To unsubscribe, e-mail:
> users-unsubscribe_at_glassfish.dev.java.net
> >> For additional commands, e-mail:
> users-help_at_glassfish.dev.java.net
> >>
> >>
> >
> >
> >
> ------------------------------------------------------
> ---------------
> > To unsubscribe, e-mail:
> users-unsubscribe_at_glassfish.dev.java.net
> > For additional commands, e-mail:
> users-help_at_glassfish.dev.java.net
> >
>
>
> ------------------------------------------------------
> ---------------
> To unsubscribe, e-mail:
> users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail:
> users-help_at_glassfish.dev.java.net
[Message sent by forum member 'stefancatalin' (catalin.stefan_at_yahoo.com)]

http://forums.java.net/jive/thread.jspa?messageID=384447