abhi0123 [https://community.jboss.org/people/abhi0123] created the discussion
"JBoss not honoring @PermitAll - defect?" To view the discussion, visit: https://community.jboss.org/message/729514#729514 -------------------------------------------------------------- I have an EJB3 WebService Endpoint secured using @DeclareRoles and @RolesAllowed. It is packaged as an war, with deployment descriptors jboss-ejb3.xml and jboss-webservices.xml. When I invoke a method marked @PermitAll from the standalone client, it fails with 401 response. The method invocation is successful when credentials are provided. Problem is, credentials should not be required for a method marked @PermitAll. I have intentionally omitted the handler code for brevity. If someone wants to see, I'll provide in a follow up post. *TimeService.java* * * @Stateless @WebService(name = "Time", serviceName = "TimeService", portName = "TimeServicePort") @HandlerChain(file = "handler-chain.xml") @DeclareRoles({ "AppUser" }) public class TimeService { @WebMethod @PermitAll public Time getCurrentTime() { return new Time(); } /* HttpBasicAuthenticationHandler authenticates this request */ @WebMethod public Time getCurrentTimeAfterHttpBasicAuthentication() { return getCurrentTime(); } @WebMethod @RolesAllowed("AppUser") public Time getCurrentTimeAfterDeclarativeRoleBasedAuthorization() { return getCurrentTime(); } } *handler-chain.xml* (located in the same directory as the WebService Endpoint above) <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <javaee:handler-chains xmlns:javaee="http://java.sun.com/xml/ns/javaee"; xmlns:xsd="http://www.w3.org/2001/XMLSchema";> <javaee:handler-chain> <javaee:handler> <javaee:handler-class>edu.certification.abhijitsarkar.ocewsd.jaxws.utility.handler.SOAPRequestHandler </javaee:handler-class> </javaee:handler> <javaee:handler> <javaee:handler-class>edu.certification.abhijitsarkar.ocewsd.jaxws.ejb.webservice.handler.HttpBasicAuthenticationHandler </javaee:handler-class> </javaee:handler> <javaee:handler> <javaee:handler-class>edu.certification.abhijitsarkar.ocewsd.jaxws.ejb.webservice.handler.ProgrammaticAuthenticationHandler </javaee:handler-class> </javaee:handler> </javaee:handler-chain> </javaee:handler-chains> *jboss-ejb3.xml* <?xml version="1.1" encoding="UTF-8"?> <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"; xmlns="http://java.sun.com/xml/ns/javaee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:c="urn:clustering:1.0" xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"; version="3.1" impl-version="2.0"> <assembly-descriptor xmlns="http://java.sun.com/xml/ns/javaee";> <security:security xmlns:security="urn:security"> <!-- domain name set up in JBoss $JBOSS_HOME/standalone/configuration/standalone.xml --> <security:security-domain>other</security:security-domain> <ejb-name>TimeService</ejb-name> </security:security> </assembly-descriptor> </jboss:ejb-jar> *jboss-webservices.xml* <webservices xmlns="http://www.jboss.com/xml/ns/javaee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; version="1.0" xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss_webservices_1_0.xsd";> <context-root>/jaxws-ejb-1.0</context-root> <port-component> <ejb-name>TimeService</ejb-name> <port-component-uri>/TimeService</port-component-uri> <auth-method>BASIC</auth-method> <transport-guarantee>NONE</transport-guarantee> <secure-wsdl-access>false</secure-wsdl-access> </port-component> </webservices> *Client.java* public class Client { public Time_Type getCurrentTime(String soapAction) { Time time = getPort(); BindingProvider bp = (BindingProvider) time; // commenting out the credentials throws following error // bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "abc"); // bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "abhijitsarkar"); setSoapAction(soapAction, bp); return time.getCurrentTime(); } } *Stacktrace* com.sun.xml.ws.client.ClientTransportException: The server sent HTTP status code 401: Unauthorized at com.sun.xml.ws.transport.http.client.HttpTransportPipe.checkStatusCode(HttpTransportPipe.java:321) at com.sun.xml.ws.transport.http.client.HttpTransportPipe.createResponsePacket(HttpTransportPipe.java:270) at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:228) at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:143) at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:110) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775) at com.sun.xml.ws.client.Stub.process(Stub.java:429) at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:168) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:102) at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151) at $Proxy30.getCurrentTime(Unknown Source) at edu.certification.abhijitsarkar.ocewsd.jaxws.ejb.webservice.client.Client.getCurrentTime(Client.java:29) at edu.certification.abhijitsarkar.ocewsd.jaxws.ejb.webservice.client.ClientTest.testGetCurrentTime(ClientTest.java:17) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:45) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:42) at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20) at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:263) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:68) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:47) at org.junit.runners.ParentRunner$3.run(ParentRunner.java:231) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:60) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:229) at org.junit.runners.ParentRunner.access$000(ParentRunner.java:50) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:222) at org.junit.runners.ParentRunner.run(ParentRunner.java:300) at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50) at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197) *application-users.properties* Abhijit$ tail -5 application-users.properties 1. is for illustration only and does not correspond to a usable password. # #admin=2a0923285184943425d1f53ddd58ec7a user=8544a03c79aee5b1c99458d83ee0f9e0 guest=1bb6b7c18b5c1dab17f5141fa398905a *application-roles.properties* Abhijit$ tail -5 application-roles.properties # #admin=PowerUser,BillingAdmin, #guest=guest user=AppUser guest=AppGuest -------------------------------------------------------------- Reply to this message by going to Community [https://community.jboss.org/message/729514#729514] Start a new discussion in JBoss Web Services at Community [https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2044]
_______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
