Topic
7 replies Latest Post - ‏2012-01-10T14:49:06Z by MJonker
MJonker
MJonker
26 Posts
ACCEPTED ANSWER

Pinned topic How to secure EJB webservices ?

‏2012-01-09T13:35:50Z |
Earlier I asked about the support for SOAP security in WAS CE 3.0, which is not supported I understood, but still

I am trying to secure my EJB based webservice.

The annotations work fine, in the sense that I get this error message when invoking a secured operation:

javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied: Unauthorized Access by Principal Denied

When I provide correct credentials (I tested this with a web-app on the same server, same security realm) in the http-header, these credentials are not picked up.

I have added:

@RolesAllowed("test") to my method

And I have added following to openejb-xml.jar

this is my security realm
<dep:dependency>
<dep:groupId>console.realm</dep:groupId>
<dep:artifactId>ServiceLaag</dep:artifactId>
<dep:version>1.0</dep:version>
<dep:type>car</dep:type>
</dep:dependency>

end


applications is a group in the ServiceLaag realm
<sec:security >
<sec:role-mappings>
<sec:role role-name="test">
<sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="applications"/>
</sec:role>
</sec:role-mappings>
</sec:security>


end

A subquestion would be, what are my chances when I want to implement this:

<ws-security-binding>
<security-realm-name>geronimo-admin</security-realm-name>
<property name="wss4j.in.action">UsernameToken</property>
</ws-security-binding>

see also: https://cwiki.apache.org/GMOxDOC30/securing-web-service.html

Thanks again
Updated on 2012-01-10T14:49:06Z at 2012-01-10T14:49:06Z by MJonker
  • MJonker
    MJonker
    26 Posts
    ACCEPTED ANSWER

    Re: How to secure EJB webservices ?

    ‏2012-01-09T14:09:18Z  in response to MJonker
    Using the sec:realm-principal (instead of sec:principal) does not make a difference

    <sec:realm-principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" domain-name="ServiceLaag" name="applications" realm-name="ServiceLaag"/>
  • MJonker
    MJonker
    26 Posts
    ACCEPTED ANSWER

    Re: How to secure EJB webservices ?

    ‏2012-01-09T14:34:51Z  in response to MJonker
    To be clear, I am getting the same error with valid and with invalid credentials...
  • MJonker
    MJonker
    26 Posts
    ACCEPTED ANSWER

    Re: How to secure EJB webservices ?

    ‏2012-01-09T15:28:14Z  in response to MJonker
    I found this sample

    https://svn.apache.org/repos/asf/geronimo/server/branches/2.2/testsuite/webservices-testsuite/jaxws-tests/jaxws-ejb-sec/

    But I am strugling with the Eclipse XML validation:

    cvc-complex-type.2.4.a: Invalid content was found starting with element 'ejb:web-service-security'.
    One of '{"http://openejb.apache.org/xml/ns/openejb-jar-2.2":jndi-name, "http://openejb.apache.org/
    xml/ns/openejb-jar-2.2":local-jndi-name, "http://openejb.apache.org/xml/ns/openejb-jar-2.2":jndi,
    "http://openejb.apache.org/xml/ns/openejb-jar-2.2":cache-size, "http://openejb.apache.org/xml/ns/
    openejb-jar-2.2":tss-link, "http://openejb.apache.org/xml/ns/openejb-jar-2.2":tss, "http://
    geronimo.apache.org/xml/ns/naming-1.2":abstract-naming-entry, "http://geronimo.apache.org/xml/ns/
    naming-1.2":persistence-context-ref, "http://geronimo.apache.org/xml/ns/naming-1.2":gbean-ref}' is
    expected.
    • MJonker
      MJonker
      26 Posts
      ACCEPTED ANSWER

      Re: How to secure EJB webservices ?

      ‏2012-01-09T16:45:28Z  in response to MJonker
      When I ignore the errors and deploy anyhow, I get this message:

      2012-01-09 17:43:19,291 ERROR EjbModuleBuilder AxisModuleBuilderExtension.initContext() failed: Duplicate contextID registered! AtriumServiceLaag/ComponentServiceEAR/1.0/car?EJBModule=ComponentService.jar,J2EEApplication=AtriumServiceLaag/ComponentServiceEAR/1.0/car,j2eeType=StatelessSessionBean,name=ComponentServiceImpl
      org.apache.geronimo.common.DeploymentException: Duplicate contextID registered! AtriumServiceLaag/ComponentServiceEAR/1.0/car?EJBModule=ComponentService.jar,J2EEApplication=AtriumServiceLaag/ComponentServiceEAR/1.0/car,j2eeType=StatelessSessionBean,name=ComponentServiceImpl
      at org.apache.geronimo.j2ee.deployment.EARContext.addSecurityContext(EARContext.java:182)
      at org.apache.geronimo.axis.builder.AxisModuleBuilderExtension.initContext(AxisModuleBuilderExtension.java:178)

      This is taken from my openejb-jar.xml

      <sec:security>
      <sec:role-mappings>
      <sec:role role-name="test">
      <sec:realm-principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" domain-name="ServiceLaag" name="applications" realm-name="ServiceLaag"/>
      </sec:role>
      </sec:role-mappings>
      </sec:security>

      <ejb:enterprise-beans>
      <ejb:session>
      <ejb:ejb-name>ComponentServiceImpl</ejb:ejb-name>
      <ejb:web-service-security>
      <ejb:security-realm-name>ServiceLaag</ejb:security-realm-name>
      <ejb:transport-guarantee>NONE</ejb:transport-guarantee>
      <ejb:auth-method>BASIC</ejb:auth-method>
      </ejb:web-service-security>
      </ejb:session>
      </ejb:enterprise-beans>



      So no luck here either
  • MJonker
    MJonker
    26 Posts
    ACCEPTED ANSWER

    Re: How to secure EJB webservices ?

    ‏2012-01-09T16:03:38Z  in response to MJonker
    When I create a webservice in a dynamic web-app and secure this web-app

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>services</web-resource-name>
    <url-pattern>*</url-pattern>
    <http-method>POST</http-method>
    <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>test</role-name>
    </auth-constraint>
    </security-constraint>

    Than HTTP authentication works, but I need this to work from a EJB application.
  • MJonker
    MJonker
    26 Posts
    ACCEPTED ANSWER

    Re: How to secure EJB webservices ?

    ‏2012-01-10T13:32:34Z  in response to MJonker
    I have a first implementation that works.
    This one works with the default "geronimo-admin security realm
  • MJonker
    MJonker
    26 Posts
    ACCEPTED ANSWER

    Re: How to secure EJB webservices ?

    ‏2012-01-10T14:49:06Z  in response to MJonker
    I have decided to add my users to the geronimo admin realm for now.

    The only thing that still bothers me is this error message:

    2012-01-10 15:46:57,115 ERROR EjbModuleBuilder AxisModuleBuilderExtension.initContext() failed: Duplicate contextID registered! AtriumServiceLaag/ComponentServiceEAR/1.1/car?EJBModule=ComponentService.jar,J2EEApplication=AtriumServiceLaag/ComponentServiceEAR/1.1/car,j2eeType=StatelessSessionBean,name=ComponentServiceImpl
    org.apache.geronimo.common.DeploymentException: Duplicate contextID registered! AtriumServiceLaag/ComponentServiceEAR/1.1/car?EJBModule=ComponentService.jar,J2EEApplication=AtriumServiceLaag/ComponentServiceEAR/1.1/car,j2eeType=StatelessSessionBean,name=ComponentServiceImpl
    at org.apache.geronimo.j2ee.deployment.EARContext.addSecurityContext(EARContext.java:182)