users@glassfish.java.net

EJB3, web service and basic authentication not working

From: <glassfish_at_javadesktop.org>
Date: Sun, 10 Oct 2010 06:38:09 PDT

Hi all,
I'm setting up a glassfish server with a single EJB3 as a mocked up backend for a POC. Everything was working fine until I went to add some basic authentication. Just plan text userid and password, nothing sophisticated for this job. I added the following annotations to the EJB:

    @WebService(name = "Banking", serviceName = "Banking", targetNamespace = BANKING_NAMESPACE)
    @DeclareRoles("user")
    @Stateless
    public class Banking {
        ...

            @RolesAllowed("user")
            @SOAPBinding(parameterStyle = ParameterStyle.BARE)
            @WebMethod(action = BANKING_NAMESPACE + "/logon", operationName = "logon")
            @WebResult(targetNamespace = XmlStrings.BANKING_MODEL_NAMESPACE)
            public LogonResponse logon(@WebParam(targetNamespace = XmlStrings.BANKING_MODEL_NAMESPACE) Logon request) throws WebServiceException {
         ...
        }
    }

According to what I've read of EJB3 spec, this is pretty common for doing a SOAP web service.

However when I send this xml:


    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mod="http://www.dhcbank.com/banking/model">
        <soapenv:Header>
            <wsse:Securty xmlns:wsse="http://docs.oasis-open.org/wss/200401-wss-wssecurity-secext-1.0.xsd">
                <wsse:UsernameToken wsu:Id="UsernameToken-79" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                    <wsse:Username>fred</wsse:Username>
                    <wsse:Password Type="http://docs.oasis-open.org/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">fred</wsse:Password>
                <wsse:UsernameToken>
            </wsse:Security>
        </soapenv:Header>
        <soapenv:Body>
            <mod:logon/>
        </soapenv:Body>
    </soapenv:Envelope>

I get the following error back as a SOAP fault:

    java.lang.Exception: Client not authorized for invocation of public com.dhcbank.www.banking.schema.LogonResponse com.dhcbank.www.banking.Banking.logon(com.dhcbank.www.banking.schema.Logon) throws javax.xml.ws.WebServiceException

And in the glassfish log:


    [#|2010-10-10T12:49:27.497+1100|INFO|glassfish3.0.1|javax.enterprise.system.core.security|_ThreadID=41;_ThreadName=http-thread-pool-8080-(2);|JACC Policy Provider: Failed Permission Check, context(BankingEAR/Banking_war_internal)- permission((javax.security.jacc.EJBMethodPermission Banking logon,ServiceEndpoint,com.dhcbank.www.banking.schema.Logon))|#]

In the glassfish admin screens I added a user called fred with a fred password and assigned it to a groups called user. But that didn't work.

I did some more reading which suggested that I create a sun-ejb-jar.xml file and add it to the ear file. So I created it with this content:

    <sun-ejb-jar>
        <enterprise-beans>
            <ejb>
                <ejb-name>Banking</ejb-name>
                <webservice-endpoint>
                    <port-component-name>Banking</port-component-name>
                        <login-config>
                            <auth-method>BASIC</auth-method>
                            <realm>file</realm>
                    </login-config>
                </webservice-endpoint>
            </ejb>
        </enterprise-beans>
    </sun-ejb-jar>

This is as near as I can tell, correct. However I could not find anything that told me what the values of the `port-component-name` element should be. So I don't know if I've got it right.

Security does still not appear to be working and I cannot figure out why. Does anyone have any experience with this and can point me at what I've got wrong or not done?
[Message sent by forum member 'drekka']

http://forums.java.net/jive/thread.jspa?messageID=484826