We Keep Coding

JAX-RS handle multiple authentication mechanism

I'm learning JAX-RS using Jersey and deploy on JBoss EAP 6.3. I'm developing a test application that offers Webservices consumed by different clients. I correctly setted up the basic authentication system based on Roles and username/password (Realm correctly configured and UP&Running). Everything works fine when my client application consume the WS.
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>testWS</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Realm</realm-name>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Pages</web-resource-name>
<url-pattern>/test/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>role-admin</role-name>
</auth-constraint>
</security-constraint>
<context-param>
<param-name>resteasy.scan</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<param-name>resteasy.scan.providers</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<param-name>resteasy.scan.resources</param-name>
<param-value>false</param-value>
</context-param>
<servlet>
<description>Admin test</description>
<servlet-name>Admin Servlet</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>com.test.webservice.utils.AuthPackageClasses</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Admin Servlet</servlet-name>
<url-pattern>/test/*</url-pattern>
</servlet-mapping>
</web-app>
My second step is to consume the same webservices by a web dashboard which require a login form. My idea is to have a free WS to consume the login and return back some token inside the Cookie in the Response; the same token is stored in my Database.
Other WS must be consumed by the web dashboard injecting the Cookie and the server must validate the token stored in the Cookie.
How can I achieve to authenticate the User coming from two different authentication systems?
Should I redesign my whole authentication system and setup a listener:
if ther's a token in the Cookie -> validate the token
otherwise validate basic authentication
Is there a way to achieve this by configuring the web.xml?
What if I want to implement a third authentication system? My problem is to have the same context-root and validate the caller by different ways.

Set web server headers (Access-Control-Allow-Origin) in web-app running under jetty-runner

I'm running the plantuml.war on a server using jetty-runner. I need to enable the Access-Control-Allow-Origin header for CORS, but the way I found to do this points to a web.xml or an override-web.xml, which I think are out of my control because I'm using a third-party web-app in jetty-runner. I can't see a way to set this up in jetty.xml.
Is there a way to enable the Access-Control-Allow-Origin header inside of jetty-runner?

Disclaimer: I got help with the details on this (not my answer 100%). I tested it only under Windows 7 and Windows 8 with Java 7.
In addition to jetty-runner.jar, one needs also jetty-servlets.jar.
Add a file override-web.xml as follows:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" version="2.5">
<filter>
<filter-name>cross-origin</filter-name>
<filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
<init-param>
<param-name>allowedOrigins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>allowedMethods</param-name>
<param-value>GET,POST,OPTIONS,DELETE,PUT,HEAD</param-value>
</init-param>
<init-param>
<param-name>allowedHeaders</param-name>
<param-value>origin, content-type, accept, authorization</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>cross-origin</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
</web-app>
Then make a jetty-web.xml context
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Set name="war">/</Set>
  <Set name="overrideDescriptor"><SystemProperty name="jetty.home" default="."/>/override-web.xml</Set>
</Configure>
Run PlantUML's server as follows
java -jar jetty-runner.jar --config jetty.xml --jar jetty-servlets.jar plantuml.war jetty-web.xml

Glassfish still use default realm

I have a secure web service (message authentification over ssl) bundeled in a war and I'm trying to use jdbcRealm to authentificate the user.
The jdbcRealm work fine with other ear apps but not for this .war
Actually glassfish is still using the fileRealm despite the configuration done in the web.xml
web.xml:
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Area</web-resource-name>
<url-pattern>/xoxoServer/secondWS/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<!--<auth-constraint>
<role-name>EMPLOYEE</role-name>
</auth-constraint>-->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>my_realm</realm-name>
</login-config>
</web-app>
In the console I get this :
FIN: [Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /secondWS POST)
FIN: JMAC: UnsupportedCallback : javax.security.auth.callback.NameCallback
FIN: JMAC: In PasswordValidationCallback Processor
FIN: jmac login user [test] into realm: file using JAAS module: fileRealm
FIN: Login module initialized: class com.sun.enterprise.security.auth.login.FileLoginModule
FIN: JAAS authentication aborted.
INFO: SEC5046: Audit: Authentication refused for [test].
INFO: SEC1201: Login failed for user: test
How to fix this ?
Thanks.
ps:I'm using Glassfish 3.1.2.2 b5 with jdk6

I solved this by:
packaging the war into an ear
adding the realm in the glassfish-application.xml ( in the ear)

How to set up WebLogic 10.3.3. security for JAX_WS web services?

I have quite simple task to accomplish - I have to set up the security for web services ( basic authentication with hardcoded in WLES user id and password). I set the web.xml (see code fragment below) but I have tough time configuring WebLogic. I added IdentityAssertionAuthenticator Authentication Provider, set it as Required, modified DefaultAuthenticator as Optional and I went to deployed application's security and set the role to "thisIsUser" and at some point it worked, but not anymore (I redeployed war file and set web service security the same way but no avail.) I'd greatly appreciate for all your help.
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="PC3-WS" version="2.5">
<display-name>PC3-WS</display-name>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>PC3-WS</web-resource-name>
<url-pattern>/PC3-WS</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>basicGroup</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>basicGroup</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
</web-app>
weblogic.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="PC3-WS" version="2.5">
<display-name>PC3-WS</display-name>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>PC3-WS</web-resource-name>
<url-pattern>/PC3-WS</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>basicGroup</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>basicGroup</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
</web-app>
The list of authenticators:
DefaultAuthenticator
DefaultIdentityAssert
Now I have exception:
WS spec-version:2.5], request: weblogic.servlet.internal.ServletRequestImpl#23e1aca[
GET /PC3-WS/MetadataService?WSDL HTTP/1.1
User-Agent: Java1.6.0_22
Accept: text/html, image/gif, image/jpeg, */*; q=.2
Connection: Keep-Alive
]] Root cause of ServletException.
java.lang.NullPointerException
at weblogic.wsee.jaxws.JAXWSDeployedServlet.init(JAXWSDeployedServlet.java:45)
at javax.servlet.GenericServlet.init(GenericServlet.java:241)
at weblogic.servlet.internal.StubSecurityHelper$ServletInitAction.run(StubSecurityHelper.java:283)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
Truncated. see log file for complete stacktrace
>
java.lang.RuntimeException: weblogic.testclient.WsdlParseFailedException: Unable to parse WSDl at: http://192.168.1.3:7001/PC3-WS/MetadataService?WSDL
at weblogic.testclient.ConnectionState.createWsdl(ConnectionState.java:69)
at Controller.refreshWsdl(Controller.java:641)
at Controller.begin(Controller.java:451)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:879)
at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:809)
at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:478)
at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:306)
at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:336)
at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:52)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2044)
at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:91)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2116)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:556)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:853)
at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:631)
at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:158)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:183)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3683)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused by: weblogic.testclient.WsdlParseFailedException: Unable to parse WSDl at: http://192.168.1.3:7001/PC3-WS/MetadataService?WSDL
at weblogic.testclient.ConnectionState.createWsdlFromHttpUrl(ConnectionState.java:199)
at weblogic.
testclient.ConnectionState.createWsdl(ConnectionState.java:60)
... 38 more

This is the way to secure a Web Service with basic HTTP Auth, in WLES 10.3.3.
In WLES Admin Console go to Security Realm --> MyRealm and create:
New user: user/12345678
New group: basicGroup
Add the user to the group
In web.xml add the security settings (path, basic type):
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="PC3-WS" version="2.5">
<display-name>PC3-WS</display-name>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>PC3-WS</web-resource-name>
<url-pattern>/PC3-WS</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>basicGroup</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>Authenticated</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
</web-app>
In weblogic.xml map the application role with server role (it is mandatory):
<?xml version="1.0" encoding="UTF-8"?>
<wls:weblogic-web-app
xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-web-app"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.1/weblogic-web-app.xsd">
<wls:weblogic-version>10.3.3</wls:weblogic-version>
<wls:context-root>PC3-WS</wls:context-root>
<wls:security-role-assignment>
<wls:role-name>Authenticated</wls:role-name>
<wls:principal-name>users</wls:principal-name>
</wls:security-role-assignment>
</wls:weblogic-web-app>
Build and deploy application.
Restart WLES.
You can test with SoapUI, passing userId and password in lower section called "Authentication and Security-related settings"
Go to File-->Preferences and in "HTTP Settings" check "Authenticate Preemptively"
Now you can run your web services from soapUI.

Can you provide the complete web.xml & weblogic.xml files?
Why do you have to configure IdentityAssertionAuthenticator if you just doing BASIC authentication?
Also can you provide what authenticator's you have in the Summary of Servers >myrealm >Providers (from console)
Finally you can enable the debugs to trace if authentication is getting trigged
On the console navigate to
Summary of Servers > %your_server% > Debug
expand weblogic > security and enable
DebugSecurity
atn > DebugSecurityAtn
Just ensure you have the logs in DEBUG mode. Test the app and have look at server log it should provide details on what's happening.

Build a WS with Spring

I need to create a WS with Spring 3.0.4.RELEASE to run in a Tomcat with Axis2. I'm following this doc: http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/remoting.html#remoting-web-services-jaxws-export-ri (if that paragraph can be called "doc")
Ok, here are the details:
The java class:
package foo;
#WebService(serviceName="MyService")
public class MyService{
#WebMethod
public String getString(){
return "Hello StackOverflow";
}
}
The WEB-INF/spring-ws.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ws="http://jax-ws.dev.java.net/spring/core"
xmlns:wss="http://jax-ws.dev.java.net/spring/servlet"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://jax-ws.dev.java.net/spring/core https://jax-ws.dev.java.net/spring/core.xsd
http://jax-ws.dev.java.net/spring/servlet https://jax-ws.dev.java.net/spring/servlet.xsd">
<wss:binding url="/myService" service="#myService" />
<ws:service id="myService"
impl="foo.MyService" />
</beans>
The WEB-INF/web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="myService" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>my Service</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-ws.xml</param-value>
</context-param>
<!-- this is for Spring -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- these are for JAX-WS -->
<servlet>
<servlet-name>jaxws-servlet</servlet-name>
<servlet-class>com.sun.xml.ws.transport.http.servlet.WSSpringServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>jaxws-servlet</servlet-name>
<url-pattern>/myService</url-pattern>
</servlet-mapping>
And last, but not less important, the error when I start tomcat 6.0.29:
Context initialization failed
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Unable to locate Spring NamespaceHandler for XML schema namespace [http://jax-ws.dev.java.net/spring/servlet]
Offending resource: ServletContext resource [/WEB-INF/spring-ws.xml]
Someone has any clue of what is happening? Is all the configuration correct? Does anyone have a simple (working) WS to show how to deploy a WS using Spring?
Thanks in advance

I also experience this issue a while back and figured out the problem is with the "https://". Change it back to http:// and you should be good to go. But when you use http:// you get a schema validation error in eclipse because eclipse can't automatically redirect schema url from http:// to https://. And apparently netbeans is capable of it.
One more thing. You'll have to have the xbeans-spring as well. I honestly think that's a pretty stupid dependency.