Uploaded image for project: 'JBoss Enterprise Application Platform 6'
  1. JBoss Enterprise Application Platform 6
  2. JBPAPP6-1597

Investigate different error messages when one or several roles are used on endpoint and unauthorized user tries to access it


    • Type: Task
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Migrated to another ITS
    • Affects Version/s: None
    • Fix Version/s: TBD EAP 6
    • Component/s: Web Services
    • Labels:


      <rsvoboda> ropalka, ping ... I changed endpoint - just @RolesAllowed("Role1") on class level and no annotation on method level + only 4 first tests executed .. I received different error message for unauthorized user (accessHelloWithUnauthorizedUser) – 403: Forbidden – is it expected?
      <ropalka> rsvoboda, Yes
      <ropalka> rsvoboda, I noticed that different behavior in the past too.
      <rsvoboda> ropalka, can u give me some hint why? ejbs are not involved ?
      <rsvoboda> ropalka, 403 Forbidden is thrown from cxf
      <rsvoboda> ropalka, Caused by: org.apache.cxf.transport.http.HTTPException:
      <ropalka> rsvoboda, there's not server stack trace, right?
      <rsvoboda> ropalka, http://fpaste.org/OtbZ/
      <ropalka> rsvoboda, yes, this is client side stack trace
      <ropalka> rsvoboda, my observation is the following
      <rsvoboda> ropalka, I realized but I can't locate server log
      <ropalka> rsvoboda, there's no exception on server side
      <ropalka> rsvoboda, my observation is the following
      <ropalka> rsvoboda, all the roles available on the endpoint are declared in on-the-fly generated web.xml
      <ropalka> rsvoboda, my observation is if there's only one role declared in such web.xml
      <ropalka> rsvoboda, web layer blocks you and throws 403
      <ropalka> rsvoboda, if there are multiple roles in web.xml
      <ropalka> rsvoboda, web layer doesn't block you and ejb layer is accessed
      <ropalka> rsvoboda, it might be good to investigate why web layer behaves this way?
      <rsvoboda> ropalka, it's tricky
      <ropalka> rsvoboda, our auth-constraint is always start string i.e. *
      <ropalka> rsvoboda, I mean in on-the-fly generated web.xml
      <ropalka> rsvoboda, the only difference is count for roles declared in web.xml
      <rsvoboda> ropalka, is there any way to see all on-the-fly generated files ?
      <ropalka> rsvoboda, no
      <ropalka> rsvoboda, U can turn on org.jboss.as.webservices loggers in trace mode
      <ropalka> rsvoboda, but our loggers are not so verbose U could catch all the info
      <ropalka> rsvoboda, if U wanna reconstruct web.xml that is generated, the debugger will help you.
      <ropalka> rsvoboda, just put the breakpoints to all the methods defined in webservices/server-integration/src/main/java/org/jboss/as/webservices/tomcat/WebMetaDataCreator.java
      <ropalka> rsvoboda, to see what is generated ...
      <rsvoboda> ropalka, thanks for details, I'll create task for myself to investigate it
      <ropalka> rsvoboda, the most important method for you is createSecurityConstraints()
      <ropalka> rsvoboda, that would be great for me to know your investigation results. Please share afterwards

      It's related to tests mentioned in JBPAPP-8545

        Gliffy Diagrams




              • Assignee:
                rsvoboda Rostislav Svoboda
                rsvoboda Rostislav Svoboda
              • Votes:
                0 Vote for this issue
                5 Start watching this issue


                • Created: