Still trying to progress this issue; would appreciate any input/help.
It looks like a threading issue in Axis2 in that there are these calls:
Our custom receiver code (when WLS) simply calls:
super.invokeBusinessLogic(messageContextIn, messageContextOut);
which then invokes:
org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(MessageContext,
MessageContext)
org.apache.axis2.receivers.AbstractMessageReceiver.getTheImplementationObject(MessageContext)
org.apache.axis2.receivers.AbstractMessageReceiver.makeNewServiceObject(MessageContext)
org.apache.axis2.rpc.receivers.ejb.EJBUtil.makeNewServiceObject(MessageContext)
The call to makeNewServiceObject starts a new (EJBClientWorker) thread that
makes the usual RMI/EJB calls (similar to what we do with Axis 1.4); to
summarize:
org.apache.axis2.rpc.receivers.ejb.EJBUtil$EJBClientWorker.createRemoteEJB
org.apache.axis2.rpc.receivers.ejb.EJBUtil$EJBClientWorker.getEJBHome
Creates Property object for Context.SECURITY_PRINCIPAL,
Context.SECURITY_CREDENTIALS, Context.INITIAL_CONTEXT_FACTORY, &
Context.PROVIDER_URL
org.apache.axis2.rpc.receivers.ejb.EJBUtil.EJBClientWorker.getContext(Properties)
- new InitialContext(properties)
org.apache.axis2.rpc.receivers.ejb.EJBUtil.EJBClientWorker.getEJBHome(InitialContext,
String) - context.lookup(beanJndiName)
Object ehome = javax.rmi.PortableRemoteObject.narrow(ejbHome, cls);
Method createMethod = cls.getMethod("create", empty_class_array);
return createMethod.invoke(ehome, empty_object_array);
It appears that from this thread WebLogic does the JAAS authentication, calling
our login module's login() method and successfully authenticating; but, then
ending the thread and returning back to the
RPCMessageReceiver.invokeBusinessLogic() thread where it calls
org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(AxisMessage, Method,
Object, String, OMElement, MessageContext) that calls
java.lang.reflect.Method.invoke(Object, Object...) and then falls over because
of the WebLogic error: EJB:010160]Security Violation: User: '<anonymous>' has
insufficient permission to access EJB.
So would this be failing because the create EJB call is where WebLogic is
invoking the authentication and it's done in a different thread to the service
method invocation and thus WebLogic doesn't see the EJB invocation as
authenticated? Any ideas about this; does this analysis seem correct? Is
anyone else successfully using Axis2 with WebLogic and a login module? Would
seem hard to customize this in a general way.
Thanks,
William
From: William Walsh
Sent: Thursday, April 22, 2010 4:08 PM
To: java-user@axis.apache.org
Subject: Differences in WLS security with Axis 1.4 versus Axis2
Is anyone aware of how/why WebLogic is showing us differences between Axis 1.4
and Axis2 in how security is being processed on invocation of a service?
For Axis 1.4 we have our own provider that extends
org.apache.axis.providers.java.RPCProvider, which in its invokeMethod method
sets up a properties object to create a new InitialContext, calls
PortableRemoteObject.narrow, calls the EJB create() method, and then calls
invoke on the service method(), which works fine with WLS.
For Axis2 it looks like this same functionality is provided in EJBUtils.java
and RPCUtils.java; so, we're extending
org.apache.axis2.rpc.receivers.ejb.EJBMessageReceiver and in our
invokeBusinessLogic method, for WLS, we just invoke
super.invokeBusinessLogic(messageContextIn, messageContextOut), which results
in this error:
[ERROR] [EJB:010160]Security Violation: User: '<anonymous>' has insufficient
permission to access EJB: type=<ejb>, application=TestModel, modu
le=FacadeModule.jar, ejb=Axis2DocWebServiceTestBPO, method=simpleAdd,
methodInterface=Remote, signature={int,int}.
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:600)
at
org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:194)
at
org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:102)
at
curam.util.connectors.axis2.CuramMessageReceiver.invokeBusinessLogic(CuramMessageReceiver.java:54)
at
org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40)
at
org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:114)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:173)
at
org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:167)
at
org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:142)
The jndiUser and jndiPassword parameters in services.xml and server-config.wsdd
are equivalent and are both against same WLS system, same ear, different war
files.
I have added runAs code to our Receiver for the WLS JAAS configuration with
some success; but we never had to do this for Axis 1.4. Any ideas why we are
seeing this difference?
Thanks,
William
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. If you are not the intended recipient, any disclosure,
copying, distribution or any action taken or omitted to be taken in reliance
on it, is prohibited and may be unlawful. If you are not the intended
addressee please contact the sender and dispose of this e-mail. Thank you.
