About Question enthuware.ocejws.v6.2.226 :

Moderators: Site Manager, fjwalraven

Post Reply
fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by fjwalraven »

So for example, we can restrict a method by restricting it's URL which is equivalent to the statement "role based security on a method"
Be careful here: it is not equivalent.

Check this example:

Code: Select all

@Path("convert")
public class RunningConverter extends MyJAXRS_Classes {
	@GET
	@Produces("text/plain")
	public String getPlainTextResultTimeInSeconds(@QueryParam("me") double metres,
			                                  @QueryParam("km") double kmPerHour) {
             // implementation
	}

	@GET
	@Produces("text/html")
	public String getHTMLResultTimeInSeconds(@QueryParam("me") double metres,
			                             @QueryParam("km") double kmPerHour) {
             // implementation
	}
}
Both implementations react on the same URL, however depending on the Accept string it will return the result from the PlainText method or from the HTML method. There is no way you can restrict 1 of the 2 methods using URL restriction.

Regards,
Frits

sttaq0442
Posts: 27
Joined: Tue Nov 15, 2016 11:20 am
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by sttaq0442 »

that is interesting example. Thanks for the explanation.

witek_m
Posts: 16
Joined: Sat Jun 09, 2018 12:09 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by witek_m »

hello, I tried to make simple example about this question, but I cannot make it works withoud security-constraint. I Have a resource class with @Stateless annotation and method with @RolesAllowed("witek") but without security-constraint I get javax.ejb.AccessLocalException: Client not authorized for this invocation.
I`m using glassfish 5 and netbeans.
Rest of the steps I made:
1. I made my own realm and user through gl console.
2. I made user to group mapping in glassfish-web.xml
3. My web.xml :

Code: Select all

<security-constraint>
    <web-resource-collection>
      <web-resource-name>test</web-resource-name>
      <url-pattern>/*</url-pattern>   
    </web-resource-collection>
    <auth-constraint>
      <role-name>witek</role-name>
    </auth-constraint>   
  </security-constraint>
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>realmyInny1</realm-name>
  </login-config> 
  <security-role>
    <role-name>witek</role-name>
  </security-role>
It works in this configuration, but without <security-constraint> section it doesn't work.
Could somene be so kind and explain mi why?

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by fjwalraven »

Hi!

I am not sure why you want to do it without a security constraint? Have you read the Java EE6 tutorial about security?

https://docs.oracle.com/javaee/6/tutori ... gijrp.html

Regards,
Frits

witek_m
Posts: 16
Joined: Sat Jun 09, 2018 12:09 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by witek_m »

Thank you, I read most of it. Maybe I missunderstood option: "Add a security constraint in the web deployment descriptor to restrict certain URL's." -> so I have to use security constraint but not to restrict certain URL`s.
I have two questions connected with it, maybe someone could help me with it:

1: I tryed in analogue way securing webservice - in the same application as first example I made @Stateless class with @Webservice annotation and method with @RollesAllowed annotation, but It desn`t work - I can view wsdl without user login and I can`t invoke webservice method. When I try I get :
JACC Policy Provider: Failed Permission Check, context(Naukaweb/Naukaweb_internal)- permission(("javax.security.jacc.EJBMethodPermission" "NewWebService" "hello,ServiceEndpoint,java.lang.String"))

2: Im not sure when I have to use @DeclaresRoles annotation.

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by fjwalraven »

I can view wsdl without user login and I can`t invoke webservice method
This means that your user doesn't have the correct role.
2: Im not sure when I have to use @DeclaresRoles annotation.
The @DeclareRoles annotation is used to declare the security role names used in the enterprise bean code. The deployment descriptor equivalent is the <security-role> element.

You might want to go through my ejb notes (security part)
https://coderanch.com/wiki/659897/OCEEJBD-Links

Regards,
Frits

witek_m
Posts: 16
Joined: Sat Jun 09, 2018 12:09 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by witek_m »

1. I checked my login user by using injected WebServiceContext: WebServiceContext.getUserPrincipal().getName() -> ANONYMOUS
2. I see, thank you.

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by fjwalraven »

I checked my login user by using injected WebServiceContext: WebServiceContext.getUserPrincipal().getName() -> ANONYMOUS
This indicates that the user is not authenticated. Try creating a simple jsp with a login page, enforce authentication, and invoke the Webservice from the Servlet that is behind the login page. You will see that the credentials are propagated from the Servlet-container to the EJB-container.

NellieCunningham
Posts: 1
Joined: Sat Feb 23, 2019 8:04 am
Contact:

Re: About Question enthuware.ocejws.v6.2.226 :

Post by NellieCunningham »

thank you for sharing information and your experience guys it was very much helpful to understand many other things rather then just understanding our issues.
I think start using rad140 is very secure and works like a charm.

Post Reply

Who is online

Users browsing this forum: No registered users and 12 guests