Uploaded image for project: 'JBoss Web Services'
  1. JBoss Web Services
  2. JBWS-309

Authorization Error using JBossWS together with JACC

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • jboss-ws4ee-4.0.3
    • jboss-ws4ee-4.0.2
    • jbossws-native
    • None

      We use JavaTM Authorization Contract for Containers (JACC) to plug in our right system. The role name "*" is used for generating the web.xml in JBossWS (more exactly in org.jboss.webservice.ServiceDeployerEJB) when An EJB is deployed together with a webservices.xml.

      The special role name ?? is a shorthand for all role names defined in the deployment descriptor. When not using JACC in JBoss this works fine but JACC is strict (and correct): a checked permission cannot be implied without an existing role, behind the "" there must be at least one existing role. So a request accessing a resource protected with the role "*" will never be successfully authorized when there exists no other role in the web.xml.

      As you know the security-constraint with included auth-constraint (=authorization) is needed because authentication is needed (authentication without authorization seems not to be a use case in the J2EE specification, take a look at http://jira.jboss.com/jira/browse/JBAS-1824)

      I see the following solutions:
      1.
      In the generated web.xml an additional role could be used to declare an additional role basing on a system property to make the users of JACC happy:
      e.g seeting jboss.ws.additional.security.role=ALLOW-ALL would result in adding
      <security-role>
      <role-name>ALLOW-ALL</role-name>
      </security-role>
      to the web.xml.

      2.
      Not using "*". Because it is not possible authenticate without defining a role, this role should be enlisted in jboss.xml.

      3.
      Extending the servlet specific to allow authentication without authorization.

              tdiesler@redhat.com Thomas Diesler
              wv-javacoder Roland Räz (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: