Which phase to intercept incoming requests before security is invoked

[jsmith828]

I have this use case where I am trying to intercept an incoming SOAP request
strip off a authN token from a SOAP header and authenticating the request
before allowing the request through the rest it's lifecycle.  My SOAP
service is implemented as an stateless EJB3 with @RolesAllowed security
annotations on the methods.  The EJB itself is decorated with @WebService
annotation creating SOAP endpoints for the methods.  I've defined an
InInterceptor that will intercept the incoming request and authenticate the
request but the interceptor is never invoked when I call the SOAP service. 
Instead I get the EJBAccessException:

14:41:18,228 ERROR [org.jboss.as.ejb3.invocation] (http-/127.0.0.1:8080-1)
JBAS014134: EJB Invocation failed on component CalculatorEJB for method
public int co
m.putnam.calc.CalculatorEJB.add(int,int): javax.ejb.EJBAccessException:
JBAS014502: Invocation on method: public int
com.putnam.calc.CalculatorEJB.add(int,int)
of bean: CalculatorEJB is not allowed
        at
org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:114)
[jboss-as-ejb3-7.3.3.Final-redhat-3.jar:7.3.
3.Final-redhat-3]
        at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]
        at
org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:81)
[jboss-as-ejb3-7.3.3.Final-redhat-3.jar:7
.3.3.Final-redhat-3]
        at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]
        at
org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
[jboss-as-ejb3-7.3.3.Fina
l-redhat-3.jar:7.3.3.Final-redhat-3]
        at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]
        at
org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
[jboss-as-ejb3-7.3.3.Final-redhat-3.jar:7.3
.3.Final-redhat-3]
        at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]
        at
org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
[jboss-as-ee-7.3.3.Final-redhat-3.jar:7.
3.3.Final-redhat-3]
        at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]
        at
org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55)
[jboss-as-ejb3-7.3.3.Final-
redhat-3.jar:7.3.3.Final-redhat-3]
        at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]
        at
org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
[jboss-as-ee-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
        at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]
        at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
[jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1
]
        at
org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165)
[jboss-as-ee-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
        at
org.jboss.as.webservices.invocation.AbstractInvocationHandler.invoke(AbstractInvocationHandler.java:130)
        at
org.jboss.wsf.stack.cxf.JBossWSInvoker.performInvocation(JBossWSInvoker.java:149)
        at
org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104)
        at
org.apache.cxf.jaxws.AbstractJAXWSMethodInvoker.invoke(AbstractJAXWSMethodInvoker.java:237)
        at
org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:68)
        at
org.jboss.wsf.stack.cxf.JBossWSInvoker.invoke(JBossWSInvoker.java:129)
        at
org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)

How do I configure my security interceptor (called WSSecurityInterceptor) to
fire before the org.jboss.as.ejb3.security.AuthorizationInterceptor?  Do I
need to use a EJB3 interceptor instead of a CXF interceptor?  I am running
on JBOSS AS 7.



-----
-Jeff
--
View this message in context: 
http://cxf.547215.n5.nabble.com/Which-phase-to-intercept-incoming-requests-before-security-is-invoked-tp5766437.html
Sent from the cxf-user mailing list archive at Nabble.com.