I'm having some trouble with setting up my secure REST-Service. I wanted to create a simple login/logout service and mess around with it.
I was following this tutorial. I skipped the part with the login form and hardcoded the username and password into the service. (login()) http://www.blog.btbw.pl/java/wildfly-9-login-form-simple-example/
It all worked fine until I wanted to use the annotation @RolesAllowed. So I created a new method (adminInfo()) with this annotation. But I came to the conclusion that the annotation made no difference. I was able to call it successfully without being loggedin with the role "ADMIN".
Maybe one of you intelligent people outside know what I did wrong and is able to help me. Sorry for my bad grammar, I'm not used to write so much in english.
Thank you.
These are my files:
I'm using a simple Service which looks like this:
@Context
private HttpServletRequest request;
@GET
@Path("/hello")
public Response hello() {
return Response.ok().entity("Hello, World!").build();
}
@GET
@Path("/logout")
@RolesAllowed("ADMIN")
public Response adminInfo() {
return Response.ok().entity("hello " + request.getUserPrincipal().getName()).build();
}
@POST
@Path("/login")
public Response login() {
try {
request.login("admin", "admin");
return Response.ok().entity("login successful").build();
} catch (Exception e) {
return Response.status(Status.BAD_REQUEST).entity("login failed").build();
}
}
@GET
@Path("/logout")
@RolesAllowed("ADMIN")
public Response logout() {
try {
request.logout();
return Response.ok().entity("logout successful").build();
} catch (Exception e) {
return Response.status(Status.BAD_REQUEST).entity("logout failed").build();
}
}
My jboss-web.xml looks like this:
<jboss-web>
<context-root>/</context-root>
<security-domain>jaas-realm</security-domain>
</jboss-web>
And my web.xml looks as following:
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>Authentication</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>jaas-realm</realm-name>
</login-config>
<security-role>
<role-name>ADMIN</role-name>
</security-role>
</web-app>
My Wildfly standalone.xml is configured like this:
<security-domain name="jaas-realm" cache-type="default">
<authentication>
<login-module name="login-module" code="Database" flag="required">
<module-option name="dsJndiName" value="java:/datasource"/>
<module-option name="principalsQuery" value="select password from users where username=?"/>
<module-option name="rolesQuery" value="select rolename, 'Roles' from roles where username=?"/>
<module-option name="hashAlgorithm" value="SHA-256"/>
<module-option name="hashEncoding" value="base64"/>
<module-option name="unauthenticatedIdentity" value="guest"/>
</login-module>
</authentication>
</security-domain>
I made it finally work. I had to add the annotation @Stateless to my Service.
Thanks to a post that was made 5 years ago:
JAX-WS webservice and @rolesAllowed
I wasn't able to find the solution on Google, but 5 mins on Stackoverflow was all I needed :)