Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-4289

Authentication bug on one-way JAX-WS methods

XMLWordPrintable

    • Hide

      1. Create WSDL file with both two-way and one-way operations
      2. Generate artifacts with jax-ws maven plugin
      3. Implement porttype interface in stateless @WebService EJB
      4. Declare @RolesAllowed on whole service or on methods

      It has also been confirmed by another user in forum, that creating webservice in Java to WSDL approach and setting @OneWay annotation on method is another way to reproduce the problem.

      Show
      1. Create WSDL file with both two-way and one-way operations 2. Generate artifacts with jax-ws maven plugin 3. Implement porttype interface in stateless @WebService EJB 4. Declare @RolesAllowed on whole service or on methods It has also been confirmed by another user in forum, that creating webservice in Java to WSDL approach and setting @OneWay annotation on method is another way to reproduce the problem.

      1. For two-way methods basic authentication and autorization works fine. User is authenticated with LDAP module and gets proper role that autorizes invocation. It works just fine. By two-way method I mean method with input and output message defined in WSDL.
      2. For one-way methods (return type void) user is not authenticated properly. It results in denial of method invocation.
      3. When I remove @RolesAllowed declaration I can see that for two-way methods authentication is correct (pricipal is set to logged user), but for one-way it's not - I get "anonymous" as principal.
      4. When I change one-way method to have input and output messages defined in WSDL and update implementation accordingly it suprisingly starts to work as expected.

      It's quite serious issue, because currently there's no way to have authorized access to oneway webservice methods.

              rhn-engineering-ema Jim Ma
              jakubgrabowski Jakub Grabowski (Inactive)
              Votes:
              2 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: