axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Session full web service with ejb provider and JAAS security
Date Fri, 03 May 2002 07:32:51 GMT

I have been playing with axis beta1, jboss2.4.4 with tomcat4.0.1 bundled
together in order to create a web service with an ejb implementation.
It is working quite well. By doing a stateful ejb, I also played with the
request, session and application scope of the web service and the whole
chain is working fine. The stateful ejb is doing what it is supposed to do,
and with a session scope web service, axis is making sure that my ejb client
session is reused across requests.
I also managed to setup JAAS permissions on the ejb and having the web
service client code to login in order to make a successful call.
I have actually two questions:

1) May be this is due to my poor knowledge of ejb, but I read in a couple of
places that the stateful ejb will be maintained by the ejb container as long
as the client is not timing out (or explicitly calling remove). What does
this mean in the axis context? If I declare my web service with an
application scope, does it mean that my stateful bean will always be
maintained (as long as ejb container does not stop)? In the case of a
session scope, with a java client program to the web service, what does it
mean to timeout and if it can timeout, is it propagated to the ejb stateful
bean? Obviously, if the Call object that I am using to do the web service
calls is destroyed, the ejb stateful bean is recycled. But does it mean that
it will never be recycled as long as this object is alive?

2) The second question is actually more a problem than a question. When
setting JAAS security on the ejb implementation, if the web service client
code is getting a security exception, it seems that I can not do any further
call to the web service. In the axis client code included below, I login as
user1. user1 has the right to call getValue, but not setValue (those rights
are defined through JAAS permissions on the ejb implementation: some
<method-permission> in the ejb-jar.xml used to deploy the ejb). Calling
getValue is working ok. When calling setValue, I get an exception. So far,
so good. Trying to call getValue again, and I get some weird exceptions. Any



System.out.println ("user1");
Service service = new Service ();
Call call = (Call) service.createCall ();
call.setTargetEndpointAddress (new (END_POINT_URL));
call.setUsername ("user1");
call.setPassword ("user1");
call.setMaintainSession (true);
call.setOperationName (new QName ("Demo", "getValue"));
System.out.println (call.invoke (new Object []{}));
try {
   call.setOperationName (new QName ("Demo", "setValue"));
   call.invoke (new Object []{user + " value"});
catch (Exception e) {
      System.out.println (e);
call.setOperationName (new QName ("Demo", "getValue"));
System.out.println (call.invoke (new Object []{}));

     [java] user1
     [java] getValue return
     [java] java.rmi.ServerException: Transaction rolled back; nested
exception is:
     [java]     java.rmi.RemoteException: checkSecurityAssociation; nested
exception is:
     [java]     java.lang.SecurityException: Insufficient method
permissions, principal=user1, method=setValue, required
Roles=[role2], principalRoles=[role1, guest]
     [java] java.rmi.NoSuchObjectException: Could not activate; nested
exception is:
H:\JBoss-2.4.4_Tomcat-4.0.1\jboss\db\sessions\Demo\1020409195143.ser (The
 system cannot find the file specified)

View raw message