Skip to main content

Using wsse:Usernametoken for role-based authorization

10 replies [Last post]
Anonymous

Glassfish/Java EE newbie question.. Apologies in advance.

I'm trying to figure if there is a straightforward way to use message-layer
credentials (i.e. wsse:UsernameToken from SOAP header) to perform
authorization in my Web-Service (role-based permissions on my service Web
Methods). In this case, the web service, which is deployed in the
EJB-container, might look something like this:

@WebService
public class Service{

@WebMethod
@RolesAllowed("abc")
public String helloWorld(){
return "Hello World"
}
}

Authenticating against the users in a realm seems pretty straight-froward
with XWS, but I'm having difficulty getting the authorization part to work.
Am I barking up the wrong tree? I can get it to work just fine using HTTP
authentication, but would rather use the SOAP message so that I can have
well integrated message-layer and application-layer security. Is it
possible? practical?

Thank you,
Jon
--
View this message in context: http://www.nabble.com/Using-wsse%3AUsernametoken-for-role-based-authoriz...
Sent from the java.net - glassfish users mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Shing Wai Chan

Do you have the correct security-role-mapping in sun-application.xml
(for ear) or sun-web.xml (for standalone war) or sun-ejb-jar.xml (for
standalone jar).
What errors do you get?
Shing Wai Chan

jon_c wrote:
> Glassfish/Java EE newbie question.. Apologies in advance.
>
> I'm trying to figure if there is a straightforward way to use message-layer
> credentials (i.e. wsse:UsernameToken from SOAP header) to perform
> authorization in my Web-Service (role-based permissions on my service Web
> Methods). In this case, the web service, which is deployed in the
> EJB-container, might look something like this:
>
> @WebService
> public class Service{
>
> @WebMethod
> @RolesAllowed("abc")
> public String helloWorld(){
> return "Hello World"
> }
> }
>
>
> Authenticating against the users in a realm seems pretty straight-froward
> with XWS, but I'm having difficulty getting the authorization part to work.
> Am I barking up the wrong tree? I can get it to work just fine using HTTP
> authentication, but would rather use the SOAP message so that I can have
> well integrated message-layer and application-layer security. Is it
> possible? practical?
>
> Thank you,
> Jon
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

jon_c

Okay, to partially answer my own question, I seem to see what is tripping me
up on this..

I had a file realm with 'user1' belonging to group 'group1'. In my
deployment descriptor, I had this:

abc
group1k

I was expecting sessionContext.getCallerPrincipal().getName() to give me
"user1", since that is what was in the username token of my SOAP message.
Instead it gives me "CN=user1". I'm assuming that this is why my
authorization was failing, since if I add

CN=user to my decriptor, it seems to work.
Can anybody tell me why this is? Or point me to an appropriate resource?

Thank you,

jon_c wrote:
>
> Glassfish/Java EE newbie question.. Apologies in advance.
>
> I'm trying to figure if there is a straightforward way to use
> message-layer credentials (i.e. wsse:UsernameToken from SOAP header) to
> perform authorization in my Web-Service (role-based permissions on my
> service Web Methods). In this case, the web service, which is deployed in
> the EJB-container, might look something like this:
>
> @WebService
> public class Service{
>
> @WebMethod
> @RolesAllowed("abc")
> public String helloWorld(){
> return "Hello World"
> }
> }
>
>
> Authenticating against the users in a realm seems pretty straight-froward
> with XWS, but I'm having difficulty getting the authorization part to
> work. Am I barking up the wrong tree? I can get it to work just fine
> using HTTP authentication, but would rather use the SOAP message so that I
> can have well integrated message-layer and application-layer security. Is
> it possible? practical?
>
> Thank you,
> Jon
>

--
View this message in context: http://www.nabble.com/Using-wsse%3AUsernametoken-for-role-based-authoriz...
Sent from the java.net - glassfish users mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

Shing Wai Chan

jon_c wrote:
> Okay, to partially answer my own question, I seem to see what is tripping me
> up on this..
>
> I had a file realm with 'user1' belonging to group 'group1'. In my
> deployment descriptor, I had this:
>
> abc
> group1k
>

>
> I was expecting sessionContext.getCallerPrincipal().getName() to give me
> "user1", since that is what was in the username token of my SOAP message.
> Instead it gives me "CN=user1". I'm assuming that this is why my
>
In message-layer-security, wsse:UsernameToken uses a different
convention in name token.
You need to have that "CN=" for all wsse principal names.
> authorization was failing, since if I add
>
CN=user to my decriptor, it seems to work.
> Can anybody tell me why this is? Or point me to an appropriate resource?
>
> Thank you,
>
>
> jon_c wrote:
>
>> Glassfish/Java EE newbie question.. Apologies in advance.
>>
>> I'm trying to figure if there is a straightforward way to use
>> message-layer credentials (i.e. wsse:UsernameToken from SOAP header) to
>> perform authorization in my Web-Service (role-based permissions on my
>> service Web Methods). In this case, the web service, which is deployed in
>> the EJB-container, might look something like this:
>>
>> @WebService
>> public class Service{
>>
>> @WebMethod
>> @RolesAllowed("abc")
>> public String helloWorld(){
>> return "Hello World"
>> }
>> }
>>
>>
>> Authenticating against the users in a realm seems pretty straight-froward
>> with XWS, but I'm having difficulty getting the authorization part to
>> work. Am I barking up the wrong tree? I can get it to work just fine
>> using HTTP authentication, but would rather use the SOAP message so that I
>> can have well integrated message-layer and application-layer security. Is
>> it possible? practical?
>>
>> Thank you,
>> Jon
>>
>>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

jon_c

Thanks for your reply, Shing.

Since, in my security realm (file), I cannot define a user with the name
"CN=jon", is there some way that I can still authorize my principal using
the file realm as my identity store without having to bloat my descriptor
with
CN=userX entries?

Shing Wai Chan wrote:
>
> jon_c wrote:
>> Okay, to partially answer my own question, I seem to see what is tripping
>> me
>> up on this..
>>
>> I had a file realm with 'user1' belonging to group 'group1'. In my
>> deployment descriptor, I had this:
>>
>> abc
>> group1k
>>

>>
>> I was expecting sessionContext.getCallerPrincipal().getName() to give me
>> "user1", since that is what was in the username token of my SOAP message.
>> Instead it gives me "CN=user1". I'm assuming that this is why my
>>
> In message-layer-security, wsse:UsernameToken uses a different
> convention in name token.
> You need to have that "CN=" for all wsse principal names.
>> authorization was failing, since if I add
>>
CN=user to my decriptor, it seems to
>> work.
>> Can anybody tell me why this is? Or point me to an appropriate resource?
>>
>> Thank you,
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>
>
>

--
View this message in context: http://www.nabble.com/Using-wsse%3AUsernametoken-for-role-based-authoriz...
Sent from the java.net - glassfish users mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

Shing Wai Chan

jon_c wrote:
> Thanks for your reply, Shing.
>
> Since, in my security realm (file), I cannot define a user with the name
> "CN=jon", is there some way that I can still authorize my principal using
>
One should not put "CN=" in the realm. It should be put in
security-role-mapping.
If we use the realm for a ejb application, then the
security-role-mapping should be without "CN=".
The "CN=" is only when we are using WSSE.
> the file realm as my identity store without having to bloat my descriptor
> with
CN=userX entries?
>
>
> Shing Wai Chan wrote:
>
>> jon_c wrote:
>>
>>> Okay, to partially answer my own question, I seem to see what is tripping
>>> me
>>> up on this..
>>>
>>> I had a file realm with 'user1' belonging to group 'group1'. In my
>>> deployment descriptor, I had this:
>>>
>>> abc
>>> group1k
>>>

>>>
>>> I was expecting sessionContext.getCallerPrincipal().getName() to give me
>>> "user1", since that is what was in the username token of my SOAP message.
>>> Instead it gives me "CN=user1". I'm assuming that this is why my
>>>
>>>
>> In message-layer-security, wsse:UsernameToken uses a different
>> convention in name token.
>> You need to have that "CN=" for all wsse principal names.
>>
>>> authorization was failing, since if I add
>>>
CN=user to my decriptor, it seems to
>>> work.
>>> Can anybody tell me why this is? Or point me to an appropriate resource?
>>>
>>> Thank you,
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
>> For additional commands, e-mail: users-help@glassfish.dev.java.net
>>
>>
>>
>>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

jon_c

What I would really like to be able to do, and what I am struggling with, is
how I can use the groups defined in my file realm to authorize the wsse user
(is this possible?).

Even though 'user1' is a member of 'group1' in my file realm, this
security-role-mapping does not work:

abc
group1

I get this exception:
Client not authorized for invocation of public final java.lang.String
$Proxy75.sayHello() throws java.rmi.RemoteException

If possible, I don't want to have to define all of the principals in my
security-role-mapping with
.

Shing Wai Chan wrote:
>
> jon_c wrote:
>> Thanks for your reply, Shing.
>>
>> Since, in my security realm (file), I cannot define a user with the name
>> "CN=jon", is there some way that I can still authorize my principal using
>>
> One should not put "CN=" in the realm. It should be put in
> security-role-mapping.
> If we use the realm for a ejb application, then the
> security-role-mapping should be without "CN=".
> The "CN=" is only when we are using WSSE.
>> the file realm as my identity store without having to bloat my descriptor
>> with
CN=userX entries?
>>
>>
>> Shing Wai Chan wrote:
>>
>
--
View this message in context: http://www.nabble.com/Using-wsse%3AUsernametoken-for-role-based-authoriz...
Sent from the java.net - glassfish users mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

Shing Wai Chan

There is a bug in WSSE side. The group info is missing.
We are looking into it now.
In the meantime, there are two ways to achieve the authorization:
1. add security-role-mapping for each principal-name
2. do not use WSSE, in this case, it will access the WS as an EJB

Thanks for checking this.
Regards,
Shing Wai Chan

jon_c wrote:
> What I would really like to be able to do, and what I am struggling with, is
> how I can use the groups defined in my file realm to authorize the wsse user
> (is this possible?).
>
> Even though 'user1' is a member of 'group1' in my file realm, this
> security-role-mapping does not work:
>
> abc
> group1
>

>
> I get this exception:
> Client not authorized for invocation of public final java.lang.String
> $Proxy75.sayHello() throws java.rmi.RemoteException
>
> If possible, I don't want to have to define all of the principals in my
> security-role-mapping with
.
>
>
> Shing Wai Chan wrote:
>
>> jon_c wrote:
>>
>>> Thanks for your reply, Shing.
>>>
>>> Since, in my security realm (file), I cannot define a user with the name
>>> "CN=jon", is there some way that I can still authorize my principal using
>>>
>>>
>> One should not put "CN=" in the realm. It should be put in
>> security-role-mapping.
>> If we use the realm for a ejb application, then the
>> security-role-mapping should be without "CN=".
>> The "CN=" is only when we are using WSSE.
>>
>>> the file realm as my identity store without having to bloat my descriptor
>>> with
CN=userX entries?
>>>
>>>
>>> Shing Wai Chan wrote:
>>>
>>>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

jon_c

Once again, thank you very much.

Does anyone know if this bug is documented somewhere? I did a quick search
in the bug database but did not turn up anything.

Shing Wai Chan wrote:
>
> There is a bug in WSSE side. The group info is missing.
> We are looking into it now.
> In the meantime, there are two ways to achieve the authorization:
> 1. add security-role-mapping for each principal-name
> 2. do not use WSSE, in this case, it will access the WS as an EJB
>
> Thanks for checking this.
> Regards,
> Shing Wai Chan
>
> jon_c wrote:
>> What I would really like to be able to do, and what I am struggling with,
>> is
>> how I can use the groups defined in my file realm to authorize the wsse
>> user
>> (is this possible?).
>>
>> Even though 'user1' is a member of 'group1' in my file realm, this
>> security-role-mapping does not work:
>>
>> abc
>> group1
>>

>>
>> I get this exception:
>> Client not authorized for invocation of public final java.lang.String
>> $Proxy75.sayHello() throws java.rmi.RemoteException
>>
>> If possible, I don't want to have to define all of the principals in my
>> security-role-mapping with
.
>>
>>
>> Shing Wai Chan wrote:
>>
>>> jon_c wrote:
>>>
>>>> Thanks for your reply, Shing.
>>>>
>>>> Since, in my security realm (file), I cannot define a user with the
>>>> name
>>>> "CN=jon", is there some way that I can still authorize my principal
>>>> using
>>>>
>>>>
>>> One should not put "CN=" in the realm. It should be put in
>>> security-role-mapping.
>>> If we use the realm for a ejb application, then the
>>> security-role-mapping should be without "CN=".
>>> The "CN=" is only when we are using WSSE.
>>>
>>>> the file realm as my identity store without having to bloat my
>>>> descriptor
>>>> with
CN=userX entries?
>>>>
>>>>
>>>> Shing Wai Chan wrote:
>>>>
>>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>
>
>

--
View this message in context: http://www.nabble.com/Using-wsse%3AUsernametoken-for-role-based-authoriz...
Sent from the java.net - glassfish users mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

Shing Wai Chan

jon_c wrote:
> Once again, thank you very much.
>
> Does anyone know if this bug is documented somewhere? I did a quick search
> in the bug database but did not turn up anything.
>
>
It is GlassFish issue 2434.
> Shing Wai Chan wrote:
>
>> There is a bug in WSSE side. The group info is missing.
>> We are looking into it now.
>> In the meantime, there are two ways to achieve the authorization:
>> 1. add security-role-mapping for each principal-name
>> 2. do not use WSSE, in this case, it will access the WS as an EJB
>>
>> Thanks for checking this.
>> Regards,
>> Shing Wai Chan
>>
>> jon_c wrote:
>>
>>> What I would really like to be able to do, and what I am struggling with,
>>> is
>>> how I can use the groups defined in my file realm to authorize the wsse
>>> user
>>> (is this possible?).
>>>
>>> Even though 'user1' is a member of 'group1' in my file realm, this
>>> security-role-mapping does not work:
>>>
>>> abc
>>> group1
>>>

>>>
>>> I get this exception:
>>> Client not authorized for invocation of public final java.lang.String
>>> $Proxy75.sayHello() throws java.rmi.RemoteException
>>>
>>> If possible, I don't want to have to define all of the principals in my
>>> security-role-mapping with
.
>>>
>>>
>>> Shing Wai Chan wrote:
>>>
>>>
>>>> jon_c wrote:
>>>>
>>>>
>>>>> Thanks for your reply, Shing.
>>>>>
>>>>> Since, in my security realm (file), I cannot define a user with the
>>>>> name
>>>>> "CN=jon", is there some way that I can still authorize my principal
>>>>> using
>>>>>
>>>>>
>>>>>
>>>> One should not put "CN=" in the realm. It should be put in
>>>> security-role-mapping.
>>>> If we use the realm for a ejb application, then the
>>>> security-role-mapping should be without "CN=".
>>>> The "CN=" is only when we are using WSSE.
>>>>
>>>>
>>>>> the file realm as my identity store without having to bloat my
>>>>> descriptor
>>>>> with
CN=userX entries?
>>>>>
>>>>>
>>>>> Shing Wai Chan wrote:
>>>>>
>>>>>
>>>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
>> For additional commands, e-mail: users-help@glassfish.dev.java.net
>>
>>
>>
>>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

edward_d
Offline
Joined: 2007-03-05

Hi,

Is there any way to get this working now? or do we just have to wait for the issue to be resolved?
If it is a case of just changing the code could you possibly point me to a good starting point?

thanks,
Edward