Can I use the @RolesAllowed annotation on the JAX-WS web service, and if so, how?
I have a webservice on Glassfish 3.1.1 using Basic Authentication, but the restrictions expressed with @RolesAllowed are ignored. Information about the role must be available, as I can access it as follows:
@Resource WebServiceContext wsContext; if (wsContext.isUserInRole("READ")) log.info("Role: READ");
I get the expected role, but all methods are still available, even if @RolesAllowed set to another role. @DenyAll doesn't work either.
If these annotations are not supported, can deployment descriptors be used to control access to web service methods based on user roles?
Edit : This part of the JAVA EE 6 tutorial describes how to use the @RolesAllowed annotation. He reads
For Java EE components, you define security roles using the @DeclareRoles and @RolesAllowed metadata annotations.
Web services are not listed as Java EE components in the first part of the tutorial, so it seems that security annotations are not supported.
Edit2 Following Izan, I repeated this attempt. Here is what I did:
@Webservice @DeclareRoles(value = {"READ", "UPDATE", "DELETE"}) public class ServiceImpl implements Service { @Override @WebMethod(operationName = "helloWorld") @RolesAllowed({"NONE"}) public String helloWorld() throws Exception { return "Hello World!"; } }
Using this type of setup, everyone can access the method, no matter what roles are installed. Users receive authentication (this can be seen in audit.log), but authorization is not performed. As stated above, I can access the role from WebServiceContext (in fact, I do manual authorization using this information).
By adding the @Stateless , let me use security annotations. So, @permitAll works as expected. But using roles still does not work, as the user is not receiving authentication now. They appear as ANONYMOUS in the audit log and are denied access.
My web.xml as follows:
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> <display-name>OneMore</display-name> <security-constraint> <display-name>WebServiceSecurity</display-name> <web-resource-collection> <web-resource-name>Authorized users only</web-resource-name> <url-pattern>/service</url-pattern> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>READ</role-name> <role-name>UPDATE</role-name> <role-name>DELETE</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <role-name>READ</role-name> </security-role> <security-role> <role-name>UPDATE</role-name> </security-role> <security-role> <role-name>DELETE</role-name> </security-role> </web-app>
Glassfish-web.xml just maps role names to group names, for example:
<security-role-mapping> <role-name>READ</role-name> <group-name>READ</group-name> </security-role-mapping>
Edit 3 Thanks to Izan and countless attempts later, I finally got his job.
As mentioned earlier, the highlight was switching from a simple web service to an EJB web service by adding the @Stateless . This allows you to use security annotations.
This change is necessary to change deployment descriptors. Although the initial web service requires Glassfish-web.xml to configure the roles, then glassfish-ejb-jar.xml is required.