3

I am long time Spring user, now had to switch to Java EE only. There are many things that just don't work as expected...

I have a CXF / SOAP service

@WebService( ... )
@SOAPBinding(parameterStyle = SOAPBinding.ParameterStyle.BARE)
public interface KlassePortType { ... 

    @WebMethod(...)
    @WebResult(...)
    public ListOutputType list(@WebParam(...)
            ListInputType request
        );
    ...
    }

an implementation:

@WebService(...)
public class KlasseImpl  implements KlassePortType { ...

    @Inject
    private KlasseService klasseService;

    @DeclaresRole
    @Override
    public ListOutputType list(ListInputType request) {
        return klasseService.list(request);
    }
}

and also a KlasseService which is a Stateless EJB:

@Stateless
public class KlasseService { ...

    @DeclaresRole
    public ListOutputType list(ListInputType listInputType) {
        METHOD LOGIC
    }
... 
}

The DeclaresRole annotation is specified as:

@Retention(value = RetentionPolicy.RUNTIME)
@Target({ ElementType.TYPE, ElementType.METHOD })
@Documented
@SecurityBindingType
public @interface DeclaresRole {
}

And has matching DeltaSpike authorizer:

@ApplicationScoped
public class CustomAuthorizer {...
    @Secures
    @DeclaresRole
    public boolean doSecuredCheck() throws Exception
    {
        SECURITY CHECK LOGIC
    }
...
}

my beans.xml looks folllowing:

<beans xmlns="http://xmlns.jcp.org/xml/ns/javaee"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                           http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd" bean-discovery-mode="all">
    <interceptors>
        <class>org.apache.deltaspike.security.impl.extension.SecurityInterceptor</class>
    </interceptors>
</beans>

The CutomAuthorizer code is never being called, when SOAP request is being handled, (put annotation on interface, implementation and even service - EJB). However, when the same annotation is being used for methods invoked from ie. JSF - everything works as expected.

I found some related question: Deltaspike and @Stateless Bean However reading this: Where to use EJB 3.1 and CDI? makes me think the EJB container should be aware of CDI interceptors etc. Also other, custom interceptors (@AroundInvoke) work for me, and the JSF reqests are being secured, as expected.

Am I missing something obvious, that will make PicketLink/Deltaspike usable in SOAP layer? As a alternative I may go with Spring Security + AspectJ pointcuts, as documented: http://forum.spring.io/forum/spring-projects/security/119811-method-security-java-ee-cdi but that just sounds like a lot of hassle....

PS. I am using WildFly 8.2 (on WF9 - same results)

Community
  • 1
  • 1
mszalinski
  • 41
  • 5
  • Your SOAP endpoint doesn't seem to have managed container annotations on it. Are you annotating it `@Stateless`? It would be the first thing I would try. WebService endpoints don't automatically become Stateless Session Beans. – John Ament Sep 04 '15 at 11:11
  • @JohnAment this results in deployment exception: JBAS017312: KlasseImpl has the wrong component type, it cannot be used as a web component, and seem to be incorrect in the JEE world. Anyway I suspect that this has to do with CXF internally using Spring for it's configuration, thus JEE beans are visible for CXF WebServices, however JEE beans (and DeltaSpike interceptor) does not see WebServices. https://developer.jboss.org/wiki/Jbossws-stackcxfUserGuide – mszalinski Sep 04 '15 at 15:33
  • That document is very old and way out of date (compared to what you're working with). You'll need to provide the full exception and update the question to reflect what you actually tried. – John Ament Sep 05 '15 at 00:24

1 Answers1

1

I sorted it out. beans.xml with DeltaSpike SecurityInterceptor must be present in the same module in which the annotation is being used. In my setup it was only in module that delivers security code. Also it only works on any EJB or CDI bean, except for @WebService (here CXF on WF8/9) - as suggested by @JohnAment I assume that SOAP endpoints are not automatically registered in EJB/CDI context, thus cannot be secured directly by this annotation.

Adding @Stateless to alredy present @WebService prevents application from being deployed:

JBAS017312: KlasseImpl has the wrong component type, it cannot be used as a web component

I believe anyway, that business logic should be separated from the SOAP (or any other) endpoint, thus I successfully use the annotation on injected into SOAP business service.

mszalinski
  • 41
  • 5