26/03/2008

WebService Authentication under JBoss

In my business project there is a need to check declarative security within EJB3 Session beans exposed as WebServices. The project is deployed under JBoss AS 4.0.5.GA with JBossWS 1.2.0.SP1. After brief investigation, a quick solution was found.

HTTP BASIC Auhtentication with EJB3 Endpoints



Axis client provides HTTP BASIC authentication when invoking web services (see previous article). So, it should be some way to enable it on server side.

For EJB web service endpoints, JBossWS generates and deploys web application, so Session Beans are mapped to Servlets.

Let's look at the example of SLSB exposed as WebService (class HelloIntf, containing missing here @WebService annotations, is generated from WSDL and not listed here):
@javax.ejb.Local(HelloIntf.class)
@javax.ejb.Stateless(name = "HelloPort")
@javax.jws.WebService(endpointInterface = "HelloIntf")
@TransactionManagement
@DeclareRoles({"foo","bar"})
// jboss specific
@org.jboss.ws.annotation.WebContext(
    contextRoot = "/services", 
    urlPattern = "/hello", 
    authMethod = "BASIC")
public class HelloBean implements HelloIntf {

    @javax.annotation.Resource
    private SessionContext ctx;

    @javax.annotation.security.RolesAllowed({"foo","bar"})
    public String sayHello() {
        return "Hello, " + ctx.getCallerPrincipal();
    }

}


Defined bean will be deployed as http://localhost:8080/services/hello.
Actually, JBossWS generates web.xml by processing annotations. In web.xml following code will be added:
<security-constraint>
 <web-resource-collection>
 <web-resource-name>HelloPort</web-resource-name>
 <url-pattern>/hello</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>*</role-name>
 </auth-constraint>
 </security-constraint>
 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>EJBServiceEndpointServlet Realm</realm-name>
 </login-config>

Unfortunately, the realn name is predefined (hardcoded in JBossWS code) and can not be changed (in JBossWS 1.2.0.SP1), so, we may configure default application-policy called "other" in login-config.xml to meet our needs or to add new application-policy element with name="EJBServiceEndpointServlet Realm" (but the second solution does not works by unknown reason).
Ярлыки: , ,

1 comment:

  1. spartan1024August 09, 2011 3:14 pm

    I was successful in using JBossWS application policy by adding this annotation:

    @org.jboss.ejb3.annotation.SecurityDomain(value = "JBossWS")

    (JBoss 5.1.0-GA)

    ReplyDelete

Subscribe to: Post Comments (Atom)

redirect