Page 1 of 1

Re: About Question enthuware.ocejws.v6.2.226 :

Posted: Thu Nov 17, 2016 1:27 pm
by fjwalraven
So for example, we can restrict a method by restricting it's URL which is equivalent to the statement "role based security on a method"
Be careful here: it is not equivalent.

Check this example:

Code: Select all

@Path("convert")
public class RunningConverter extends MyJAXRS_Classes {
	@GET
	@Produces("text/plain")
	public String getPlainTextResultTimeInSeconds(@QueryParam("me") double metres,
			                                  @QueryParam("km") double kmPerHour) {
             // implementation
	}

	@GET
	@Produces("text/html")
	public String getHTMLResultTimeInSeconds(@QueryParam("me") double metres,
			                             @QueryParam("km") double kmPerHour) {
             // implementation
	}
}
Both implementations react on the same URL, however depending on the Accept string it will return the result from the PlainText method or from the HTML method. There is no way you can restrict 1 of the 2 methods using URL restriction.

Regards,
Frits

Re: About Question enthuware.ocejws.v6.2.226 :

Posted: Thu Nov 17, 2016 1:45 pm
by sttaq0442
that is interesting example. Thanks for the explanation.

Re: About Question enthuware.ocejws.v6.2.226 :

Posted: Mon Jun 11, 2018 1:42 pm
by witek_m
hello, I tried to make simple example about this question, but I cannot make it works withoud security-constraint. I Have a resource class with @Stateless annotation and method with @RolesAllowed("witek") but without security-constraint I get javax.ejb.AccessLocalException: Client not authorized for this invocation.
I`m using glassfish 5 and netbeans.
Rest of the steps I made:
1. I made my own realm and user through gl console.
2. I made user to group mapping in glassfish-web.xml
3. My web.xml :

Code: Select all

<security-constraint>
    <web-resource-collection>
      <web-resource-name>test</web-resource-name>
      <url-pattern>/*</url-pattern>   
    </web-resource-collection>
    <auth-constraint>
      <role-name>witek</role-name>
    </auth-constraint>   
  </security-constraint>
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>realmyInny1</realm-name>
  </login-config> 
  <security-role>
    <role-name>witek</role-name>
  </security-role>
It works in this configuration, but without <security-constraint> section it doesn't work.
Could somene be so kind and explain mi why?

Re: About Question enthuware.ocejws.v6.2.226 :

Posted: Mon Jun 11, 2018 11:35 pm
by fjwalraven
Hi!

I am not sure why you want to do it without a security constraint? Have you read the Java EE6 tutorial about security?

https://docs.oracle.com/javaee/6/tutori ... gijrp.html

Regards,
Frits

Re: About Question enthuware.ocejws.v6.2.226 :

Posted: Tue Jun 12, 2018 2:08 pm
by witek_m
Thank you, I read most of it. Maybe I missunderstood option: "Add a security constraint in the web deployment descriptor to restrict certain URL's." -> so I have to use security constraint but not to restrict certain URL`s.
I have two questions connected with it, maybe someone could help me with it:

1: I tryed in analogue way securing webservice - in the same application as first example I made @Stateless class with @Webservice annotation and method with @RollesAllowed annotation, but It desn`t work - I can view wsdl without user login and I can`t invoke webservice method. When I try I get :
JACC Policy Provider: Failed Permission Check, context(Naukaweb/Naukaweb_internal)- permission(("javax.security.jacc.EJBMethodPermission" "NewWebService" "hello,ServiceEndpoint,java.lang.String"))

2: Im not sure when I have to use @DeclaresRoles annotation.

Re: About Question enthuware.ocejws.v6.2.226 :

Posted: Tue Jun 12, 2018 2:36 pm
by fjwalraven
I can view wsdl without user login and I can`t invoke webservice method
This means that your user doesn't have the correct role.
2: Im not sure when I have to use @DeclaresRoles annotation.
The @DeclareRoles annotation is used to declare the security role names used in the enterprise bean code. The deployment descriptor equivalent is the <security-role> element.

You might want to go through my ejb notes (security part)
https://coderanch.com/wiki/659897/OCEEJBD-Links

Regards,
Frits

Re: About Question enthuware.ocejws.v6.2.226 :

Posted: Wed Jun 13, 2018 12:09 pm
by witek_m
1. I checked my login user by using injected WebServiceContext: WebServiceContext.getUserPrincipal().getName() -> ANONYMOUS
2. I see, thank you.

Re: About Question enthuware.ocejws.v6.2.226 :

Posted: Wed Jun 13, 2018 1:21 pm
by fjwalraven
I checked my login user by using injected WebServiceContext: WebServiceContext.getUserPrincipal().getName() -> ANONYMOUS
This indicates that the user is not authenticated. Try creating a simple jsp with a login page, enforce authentication, and invoke the Webservice from the Servlet that is behind the login page. You will see that the credentials are propagated from the Servlet-container to the EJB-container.

Re: About Question enthuware.ocejws.v6.2.226 :

Posted: Mon Feb 25, 2019 2:58 am
by NellieCunningham
thank you for sharing information and your experience guys it was very much helpful to understand many other things rather then just understanding our issues.