Jboss AS 7,Web服务基本http认证错误

时间:2015-04-17 13:33:42

标签: jax-ws jboss7.x ws-security jaas

我在jboss eap 6.1应用服务器中开发了一个基于Ejb的Web服务。 如果没有身份验证,此服务将按预期工作。 现在,我已按照我执行的步骤为此Web服务添加了基本的身份验证机制:

我通过以下方式注释了我的ejb(它实现了ws):

import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.Stateless;
import javax.jws.WebService;

import org.jboss.ejb3.annotation.SecurityDomain;
import org.jboss.ws.api.annotation.WebContext;

@Stateless
@WebService(name = "HelloWorldWS", targetNamespace="http://my-company/ws/")
@WebContext(authMethod = "BASIC", contextRoot = "helloWS", urlPattern ="/*")
@SecurityDomain("helloworld-webservice-login")


public class HelloWorldWebService implements HelloWorldWebServiceRemote {

@RolesAllowed({"mioruolo"})
public String sayHello() {
    return "Hello World";
}
}

并且,据此,我在standalone.xml文件中添加了helloworld-webservice-login安全域,如下所示:

<security-domain name="helloworld-webservice-login">
                        <authentication>
                                <login-module code="Database"    flag="required">
                                        <module-option name="dsJndiName"      value="java:jboss/datasources/ExampleDS"/>
                                        <module-option     name="principalsQuery" value="select password from s_principals where principal_id=?"/>
                                    <module-option name="rolesQuery" value="select role, 'Roles' from s_roles where principal_id=?"/>                                       
                            </login-module>
                    </authentication>
            </security-domain>

所以,我希望,只有名为“mioruolo”的角色的用户才能访问网络服务。 我在我的oracle 10g数据库中添加了表s_roles和s_principals,并且我已经在Toad窗口中执行了xml文件中的两个查询,并且这两个查询都按预期工作。

我使用jax-ws生成的客户端来调用此Web服务,并在客户端以下列方式传递HTTP头中的凭据:

 bindingProvider.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "federico");
    bindingProvider.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "passwd");

我得到的响应始终是403禁止状态代码。 我检查了jboss日志文件,我播下了以下几行:

14:50:40,693 DEBUG [org.apache.catalina.authenticator]         (http-/127.0.0.1:8080-1) Security checking request POST /helloWS
14:50:40,694 DEBUG [org.apache.catalina.realm] (http-/127.0.0.1:8080-1)   Checking constraint 'SecurityConstraint[HelloWorldWebService]' against POST / --> true
14:50:40,709 DEBUG [org.apache.catalina.realm] (http-/127.0.0.1:8080-1)   Checking constraint 'SecurityConstraint[HelloWorldWebService]' against POST / --> true
14:50:40,709 DEBUG [org.apache.catalina.authenticator] (http-/127.0.0.1:8080-1)  Calling hasUserDataPermission()
14:50:40,709 DEBUG [org.apache.catalina.realm] (http-/127.0.0.1:8080-1)   User data constraint has no restrictions
14:50:40,710 DEBUG [org.apache.catalina.authenticator] (http-/127.0.0.1:8080-1)  Calling authenticate()
14:50:41,287 DEBUG [org.apache.catalina.authenticator] (http-/127.0.0.1:8080-1) Authenticated 'federico' with type 'BASIC'
14:50:41,288 DEBUG [org.apache.catalina.authenticator] (http-/127.0.0.1:8080-1)  Calling accessControl()
14:50:41,288 DEBUG [org.apache.catalina.realm] (http-/127.0.0.1:8080-1)   Checking roles GenericPrincipal[federico(mioruolo,)]
14:50:41,321 DEBUG [org.apache.catalina.authenticator] (http-/127.0.0.1:8080-1)  Failed accessControl() test

因此,身份验证正常,但授权(我认为检查“federico”用户是否具有“mioruolo”角色)失败,我无法弄清楚原因,因为查询是在Toad客户端执行的执行没有问题。

有关此错误的任何想法? 任何帮助都将非常感激。

非常感谢

问候

1 个答案:

答案 0 :(得分:0)

您必须在HelloWorldWebService中声明角色:

import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.Stateless;
import javax.jws.WebService;

import org.jboss.ejb3.annotation.SecurityDomain;
import org.jboss.ws.api.annotation.WebContext;

@Stateless
@WebService(name = "HelloWorldWS", targetNamespace="http://my-company/ws/")
@WebContext(authMethod = "BASIC", contextRoot = "helloWS", urlPattern ="/*")
@SecurityDomain("helloworld-webservice-login")

@javax.annotation.security.DeclareRoles.DeclareRoles({"mioruolo"})

public class HelloWorldWebService implements HelloWorldWebServiceRemote {

@RolesAllowed({"mioruolo"})
public String sayHello() {
    return "Hello World";
}
}