axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject RE: Session full web service with ejb provider and JAAS security
Date Fri, 10 May 2002 15:06:33 GMT
I figured out the answers to my questions.
Let me reply to myself, just in case somebody else is interested.
1) The stateful bean stopped to be maintained by the ejb container in the
following cases:
    - timing out in the ejb container. The ejb container, when the stateful
is not used for a while, can destroy the bean. I did not find any code in
the Axis EJBProvider to handle that correctly (axis-beta2).
    - if the ejb client object (the object created by the EJBProvider) is
explicitly calling remove, it will recycle the stateful bean. I did not see
any code in Axis to do this kind of cleanup if the Axis session times out.
I was actually wrong when saying that destroying the Call object will
recycle the stateful bean. When the Call object is destroyed (actually, it
is more when my java axis client program finishes), the axis session will
eventually timeout (I guess) and the ejb client will disapear, but as I said
above, I did not see any code in Axis for a proper cleanup of the ejb
(remove should be called).
2) The problem has nothing to do with Axis. My ejb container is JBoss, and
their interpretation of the EJB spec is that a security exception is a
runtime exception and a runtime exception is destroying the stateful bean.
So after the first security exception, the stateful bean is gone, but axis
is still caching the ejb client object to this bean, so when I invoke a new
web service operation, I get some object not found type of exceptions. I
sent another post in the axis-dev list to find out if I have a way, from the
client, to remove the cached service object in a session scope service. No
answers yet.

-----Original Message-----
Sent: Friday, May 03, 2002 3:33 AM
Subject: Session full web service with ejb provider and JAAS security

I have been playing with axis beta1, jboss2.4.4 with tomcat4.0.1 bundled
together in order to create a web service with an ejb implementation.

It is working quite well. By doing a stateful ejb, I also played with the
request, session and application scope of the web service and the whole
chain is working fine. The stateful ejb is doing what it is supposed to do,
and with a session scope web service, axis is making sure that my ejb client
session is reused across requests.

I also managed to setup JAAS permissions on the ejb and having the web
service client code to login in order to make a successful call.

I have actually two questions: 

1) May be this is due to my poor knowledge of ejb, but I read in a couple of
places that the stateful ejb will be maintained by the ejb container as long
as the client is not timing out (or explicitly calling remove). What does
this mean in the axis context? If I declare my web service with an
application scope, does it mean that my stateful bean will always be
maintained (as long as ejb container does not stop)? In the case of a
session scope, with a java client program to the web service, what does it
mean to timeout and if it can timeout, is it propagated to the ejb stateful
bean? Obviously, if the Call object that I am using to do the web service
calls is destroyed, the ejb stateful bean is recycled. But does it mean that
it will never be recycled as long as this object is alive?

2) The second question is actually more a problem than a question. When
setting JAAS security on the ejb implementation, if the web service client
code is getting a security exception, it seems that I can not do any further
call to the web service. In the axis client code included below, I login as
user1. user1 has the right to call getValue, but not setValue (those rights
are defined through JAAS permissions on the ejb implementation: some
<method-permission> in the ejb-jar.xml used to deploy the ejb). Calling
getValue is working ok. When calling setValue, I get an exception. So far,
so good. Trying to call getValue again, and I get some weird exceptions. Any



System.out.println ("user1"); 
Service service = new Service (); 
Call call = (Call) service.createCall (); 
call.setTargetEndpointAddress (new (END_POINT_URL)); 
call.setUsername ("user1"); 
call.setPassword ("user1"); 
call.setMaintainSession (true); 
call.setOperationName (new QName ("Demo", "getValue")); 
System.out.println (call.invoke (new Object []{})); 
try { 
   call.setOperationName (new QName ("Demo", "setValue")); 
   call.invoke (new Object []{user + " value"}); 
catch (Exception e) { 
      System.out.println (e); 
call.setOperationName (new QName ("Demo", "getValue")); 
System.out.println (call.invoke (new Object []{})); 

     [java] user1 
     [java] getValue return 
     [java] java.rmi.ServerException: Transaction rolled back; nested
exception is: 
     [java]     java.rmi.RemoteException: checkSecurityAssociation; nested
exception is: 
     [java]     java.lang.SecurityException: Insufficient method
permissions, principal=user1, method=setValue, required

Roles=[role2], principalRoles=[role1, guest] 
     [java] java.rmi.NoSuchObjectException: Could not activate; nested
exception is: 
H:\JBoss-2.4.4_Tomcat-4.0.1\jboss\db\sessions\Demo\1020409195143.ser (The

 system cannot find the file specified) 

View raw message