Could not get authentication in stateless session bean sample working (J2EE 1.4 RI)

From: Merten Schumann <>
Date: Thu, 15 Jul 2004 09:13:17 +0200

[first asked at ...]

Following the nice J2EE 1.4 tutorial I created the HelloSessionBean
stateless session bean sample web service in Sun's J2EE 1.4 RI.

Now I want to add authentication. Idea is to store some data in the web
service per user, so I do need the user name. :-)

In SOAP clients, utilizing JAX-RPC ("Dynamic Invocation Client") or MS
WebToolkit, I try to set authentication data (user, pwd).

In the bean, I have some code to evaluate the user principal which I do
get from SessionContext.
Getting SessionContext and all via the bean's setSessionContext()
method works fine.

The problem is, I do always get the ANONYMOUS user from

I think I followed the steps to enable basic authentication in the
tutorial correctly. With admin web page I created some users. With
deploytool I added a role to my service and mapped some users to the
role. Is there anything more to do?

BTW: in case someone else runs into this problem: deploytool always
shows the default admin server (port 4848) in the tree, even if you
specified a different port at installation time. I found that my users
(step "map users to roles") was not been shown, when I had the default
admin server in the tree. I had to remove ("remove server") it to get
things working.

BTW: in case someone else runs into this problem: in deploytool, tab
"Security" for the bean often doesn't worked for me, message "error
obtaining the list of methods ... java.lang.RuntimeException". Works
when you go up in the tree to your .jar, press there the "Edit contents"
button (change nothing, just leave with OK), step back to the bean,
"Security" tab will probably work now and present the list of methods.

This is my sun-application.xml file

This is from ejb-jar.xml

It seems, the server doesn't require the authentication or so. I can set
in my client no or wrong authentication data and still get access to my
web service, can call the sayHello method and the beast returns "user is
ANONYMOUS" ... I tried to trace the communication. I expected there
something like "[Server] autentication expected ..." ... "[Client] here
is authentication data ...", but there's nothing.

This would be fine: access to ?WSDL is free, but calling methods
requires authentication. Then I do expect in my stateless session bean
implementing the web service all the time the correct user. With
"correct" I mean: as far as I understood a stateless session bean serves
at a time for client A and next time probably for a way different client
B. I hope, if my methods check at invocation time the
SessionContext.getCallerPrincipal() stuff, that they can separate the

Could anyone help me here? How to force the stateless session bean web
service to require client authentication???

Maybe this is the wrong discussion group for that. If so, please direct
me to the correct one.

Thank you!

To unsubscribe, e-mail:
For additional commands, e-mail: