CODEWITHSUNDEEP
ejbjax-wsbasic-authentication
Evandro Pomatti
Evandro Pomatti

Reputation: 15094

EJB JAX-WS Web Service authentication and authorization

How can I authenticate with HTTP Basic, via the application server domain/secure realm, using a Session Bean published as a @WebService?

In a Web project one could use web.xml to map Roles to Groups, but I have no idea how to do it in a EJB-JAR project. I don't think it can be done with ejb-jar.xml.

Sample code, which works fine without the roles annotations:

@Stateless
@WebService(portName="RestrictedServicePort")
@DeclareRoles(value = "Administrators")
public class RestrictedServiceBean {

    @RolesAllowed(value = "Administrators")
    public String restrictedOperation() {
        return "Secret information";        
    }

}

Error:

<faultstring>[EJB:010160]Security Violation: User: '&lt;anonymous>' has insufficient permission to access EJB: type=&lt;ejb>

Basic Credentials Header:

Authorization: Basic d2VibG9naWM6d2VsY29tZTE=

I suspect it must be done via vendor-specific configuration. I am using WebLogic 10.3.6, Java EE 5 / EJB 3.0.

Upvotes: 0

Views: 1886

Answers (2)

Evandro Pomatti
Evandro Pomatti

Reputation: 15094

Solved adding the role mapping as it is done in any web module, but using the proprietary weblogic-ejb-jar.xml, as follows:

<wls:security-role-assignment>
    <wls:role-name>Administrators</wls:role-name>
    <wls:principal-name>myweblogicgroup</wls:principal-name>
</wls:security-role-assignment>

The "myweblogicgroup" is the group created in the WebLogic security realm for which the system user used to authenticated to the web service is associated.

This link helped me.

Upvotes: 0

Scott Heaberlin
Scott Heaberlin

Reputation: 3424

Basic Auth via Policy

From the v10 docs:

A Web service can have zero or more WS-Policy files associated with it. WS-Policy files follow the guidelines of the WS-Policy specification. WebLogic Server uses WS-Policy files to specify the details of the message-level security (digital signatures and encryption) and reliable messaging capabilities of a Web service. You can attach a WS-Policy file to a Web service endpoint, which means that the policy assertions apply to all the operations of a Web service endpoint. You can also attach a WS-Policy file to an operation, which means that the policy assertions apply only to the specific operation. In addition, you can attach a WS-Policy file to the inbound or outbound SOAP message, or both.

It would appear you can attach a basic auth policy to your service:

<sp:TransportToken>
  <wsp:Policy>
    <sp:HttpBasicAuthentication/>
  </wsp:Policy>
</sp:TransportToken>

You can apply this custom policy via the administrative console via the steps outlined here or you can consider referencing one of the Oracle-preconfigured policies.

Mapping Roles to Groups

The WebLogic (v12) documentation mentions the following when discussing usage of @RolesAllowed in an EJB:

You can also use the annotation to explicitly declare roles that are implicitly declared if you use the @RolesAllowed annotation on the class or a method of the class.

You create security roles in WebLogic Server using the Administration Console. For details, see "Manage Security Roles" in the Oracle WebLogic Server Administration Console Help.

The Manage Security Roles section continues on to discuss scoped roles.

You can then create a scoped role for a specific EJB that contains highly sensitive business logic. When you create a policy for the EJB, you can specify that only the scoped role can access the EJB.

More information on managing scoped roles is here.

Upvotes: 1

Related Questions