stackoom
  简体   繁体   中英

Secure EJB3.1-Webservice (in JBoss Wildfly 8.2)

 原文  2016-06-29 07:44:33       java/ web-services/ soap/ jboss/ ejb

Question

I have a nearly finished web project with EJB3.1 deployed as WAR in Wildfly 8.2. It´s secured by a self-written JAAS-realm with form authentication (auth-method FORM).

Now I want to add a EJB-Webservice which is basically defined as 

@Stateless
@WebService
public class ProductImportWebservice {
    @Resource 
    WebServiceContext wsContext;

    [...]

    @WebMethod
    public Product createOrFind(String name) {
       [...]
    }
}

The webservice works as expected but now I have the problem that I want to protect access to the Webservice by username/password. So I annotated the webservice or the @WebMethod with 

@RolesAllowed("ADMIN")

which is a valid role in the JAAS-authentication. Effect: The SOAP-client gets the answere "reqeust not allowed / not authenticated" - but gets no authentication-request and attempts with BASIC-authentication are ignored. If I add the URL of the webservice to the security-constraint in the web.xml I get an authentication request... but the problem now is that it´s the form based authentication - as a user with a browser would expect it. This is unusable for a "normal" SOAP-client :-(

The concrete question now is: Is there a way to have both - BASIC authentication for the webservice and FORM-based authentication for the rest of the application?

The only other way I would see is to split the WAR package up to an EAR-package and deploy the webservice in a different web-context.

1 answers

solution1
 1  2016-06-29 07:58:24

The concrete question now is: Is there a way to have both - BASIC authentication for the webservice and FORM-based authentication for the rest of the application?

You can't use both FORM and BASIC authentication for the same web application.

If you need to do this, create two separate applications, with a shared codebase.

Reference:

https://docs.oracle.com/javaee/7/tutorial/security-webtier002.htm#JEETT01227

The auth-method subelement configures the authentication mechanism for the web application. The element content must be either NONE, BASIC, DIGEST, FORM, or CLIENT-CERT.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question JBoss Wildfly 10: xnio ClassCastException when calling EJB3.1 on JBoss 7 Wrong dependencies with EJB in JBoss Wildfly JBoss 5.1.0 + EJB 3.1 + JMS Maven Dependency for EJB 3.1 [jboss-ejb-api_3.1_spec] Byte Buddy with JBOSS / Wildfly EJB 3 classes EJB,JPA persistance.xml problem Wildfly 8.2 intellij Accessing a secure EJB as anonymous user on Wildfly 9 JBoss Wildfly 9.0 ArrayIndexOutOfBoundException [asm 3.1] EJB 3.1 JBoss 7.1 Hibernate troble ejb3 endpoint webservice jboss 7 throws illegalstateexception
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM