I'm trying to secure a simple webservice/ejb but I think I'm not
understanding how things work very well. I have a JDBC realm working and is
being used in a webapp. Now I'm trying to secure the ejb/webservice. My realm
has the following groups: "Administrator", "User".
From what I understood after reading a lot of posts if I check "Default
Principal To Role Mapping" and use the realm groups in
@RolesAllowed/_at_DeclareRoles authentication should work. I wont need the
sun-whatever.xml files. Is that correct? I have the following webservice,
sayHello works but it always returns Hello User, even if I call the service
with an administrator (testing with soapui). saySecureHello always gives me
an exception "java.lang.Exception: Client not authorized for invocation". Can
you guys tell me what I'm missing?
HelloService.java ... @Singleton @LocalBean @WebService
@DeclareRoles("Administrator") public class HelloService implements Hello {
@Resource WebServiceContext ctx; @PermitAll public
String sayHello(){ if(ctx.isUserInRole("Administrator")){
return "Hello Admin!!!"; }else{
return "Hello User!!!"; } }
@RolesAllowed("Administrator") public String saySecureHello(){
return "Hello "+ctx.getUserPrincipal().getName()+"!!!!"; } }
--
[Message sent by forum member 'fawzib']
View Post: http://forums.java.net/node/832305