You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <ji...@apache.org> on 2009/07/10 09:51:15 UTC
[jira] Created: (GERONIMO-4738) csf ejb ws report authorization
failures as 500 internal server error
csf ejb ws report authorization failures as 500 internal server error
---------------------------------------------------------------------
Key: GERONIMO-4738
URL: https://issues.apache.org/jira/browse/GERONIMO-4738
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: webservices
Affects Versions: 2.2
Reporter: David Jencks
If you secure an ejb web service with ejb security constraints cxf reports authorization failures as 500 internal server error and doesn't log much useful. Axis2 logs the auth failure and IIRC reports 401 or 403.
I think this can be reproduced by removing the ejb-jar.xml security constraints from testsuite/webservices-testsuite/jaxws-tests/jaxws-ejb-sec/src/main/resources/META-INF/ejb-jar.xml
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (GERONIMO-4738) ejb ws report authorization failures
as 500 internal server error
Posted by "viola.lu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
viola.lu closed GERONIMO-4738.
------------------------------
This exception is a known issue noticed in jira: https://issues.apache.org/jira/browse/GERONIMO-5011.And it doesn't affect deployment. And deployed ejb webservice can be accessed, submit SOAP requests with membrane webservice tool: http://www.membrane-soa.org/ no problem, so close it.
> ejb ws report authorization failures as 500 internal server error
> -----------------------------------------------------------------
>
> Key: GERONIMO-4738
> URL: https://issues.apache.org/jira/browse/GERONIMO-4738
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: webservices
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: Delos Dai
> Fix For: 2.2.1
>
>
> If you secure an ejb web service with ejb security constraints cxf reports authorization failures as 500 internal server error and doesn't log much useful. Axis2 logs the auth failure and IIRC reports 401 or 403.
> I think this can be reproduced by removing the ejb-jar.xml security constraints from testsuite/webservices-testsuite/jaxws-tests/jaxws-ejb-sec/src/main/resources/META-INF/ejb-jar.xml
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4738) ejb ws report authorization
failures as 500 internal server error
Posted by "viola.lu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12875448#action_12875448 ]
viola.lu commented on GERONIMO-4738:
------------------------------------
Deploy modified jaxws-ejb-sec jar successfully, but there are errors from background console:
2010-06-04 12:13:19,000 ERROR [EjbModuleBuilder] JAXWSEJBModuleBuilderExtension.initContext() failed: Duplicate contextID registered! org.apache.geronimo.testsuite/jaxws-ejb-sec/2.2.1-SNAPSHOT/jar?EJBModule=org.apache.geronimo.testsuite/jaxws-ejb-sec/2.2.1-SNAPSHOT/jar,J2EEApplication=null,j2eeType=StatelessSessionBean,name=BeanBasic
org.apache.geronimo.common.DeploymentException: Duplicate contextID registered! org.apache.geronimo.testsuite/jaxws-ejb-sec/2.2.1-SNAPSHOT/jar?EJBModule=org.apache.geronimo.testsuite/jaxws-ejb-sec/2.2.1-SNAPSHOT/jar,J2EEApplication=null,j2eeType=StatelessSessionBean,name=BeanBasic
at org.apache.geronimo.j2ee.deployment.EARContext.addSecurityContext(EARContext.java:128)
at org.apache.geronimo.jaxws.builder.JAXWSEJBModuleBuilderExtension.initContext(JAXWSEJBModuleBuilderExtension.java:167)
at org.apache.geronimo.openejb.deployment.EjbModuleBuilder.initContext(EjbModuleBuilder.java:541)
at org.apache.geronimo.j2ee.deployment.EARConfigBuilder.buildConfiguration(EARConfigBuilder.java:592)
at org.apache.geronimo.deployment.Deployer.deploy(Deployer.java:257)
at org.apache.geronimo.deployment.Deployer.deploy(Deployer.java:136)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:592)
at org.apache.geronimo.gbean.runtime.ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851)
at org.apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237)
at org.apache.geronimo.deployment.plugin.local.AbstractDeployCommand.doDeploy(AbstractDeployCommand.java:116)
at org.apache.geronimo.deployment.plugin.local.DistributeCommand.run(DistributeCommand.java:61)
at java.lang.Thread.run(Thread.java:595)
> ejb ws report authorization failures as 500 internal server error
> -----------------------------------------------------------------
>
> Key: GERONIMO-4738
> URL: https://issues.apache.org/jira/browse/GERONIMO-4738
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: webservices
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: Delos Dai
> Fix For: 2.2.1
>
>
> If you secure an ejb web service with ejb security constraints cxf reports authorization failures as 500 internal server error and doesn't log much useful. Axis2 logs the auth failure and IIRC reports 401 or 403.
> I think this can be reproduced by removing the ejb-jar.xml security constraints from testsuite/webservices-testsuite/jaxws-tests/jaxws-ejb-sec/src/main/resources/META-INF/ejb-jar.xml
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Reopened: (GERONIMO-4738) ejb ws report authorization
failures as 500 internal server error
Posted by "viola.lu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
viola.lu reopened GERONIMO-4738:
--------------------------------
After remove <assembly-descriptor>
<security-role>
<role-name>admin</role-name>
</security-role>
<method-permission>
<role-name>admin</role-name>
<method>
<ejb-name>BeanBasic</ejb-name>
<method-name>greetMe</method-name>
</method>
<method>
<ejb-name>BeanBasicAllowGet</ejb-name>
<method-name>greetMe</method-name>
</method>
</method-permission>
<method-permission>
<unchecked/>
<method>
<ejb-name>BeanHttps</ejb-name>
<method-name>greetMe</method-name>
</method>
<method>
<ejb-name>BeanHttpsAllowGet</ejb-name>
<method-name>greetMe</method-name>
</method>
</method-permission>
</assembly-descriptor>
from $source\testsuite\webservices-testsuite\jaxws-tests\jaxws-ejb-sec\src\main\filtered-resources\META-INF\ejb-jar.xml,
there is still errors, reopen it.
> ejb ws report authorization failures as 500 internal server error
> -----------------------------------------------------------------
>
> Key: GERONIMO-4738
> URL: https://issues.apache.org/jira/browse/GERONIMO-4738
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: webservices
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: Delos Dai
> Fix For: 2.2.1
>
>
> If you secure an ejb web service with ejb security constraints cxf reports authorization failures as 500 internal server error and doesn't log much useful. Axis2 logs the auth failure and IIRC reports 401 or 403.
> I think this can be reproduced by removing the ejb-jar.xml security constraints from testsuite/webservices-testsuite/jaxws-tests/jaxws-ejb-sec/src/main/resources/META-INF/ejb-jar.xml
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-4738) ejb ws report authorization
failures as 500 internal server error
Posted by "Shawn Jiang (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shawn Jiang updated GERONIMO-4738:
----------------------------------
Fix Version/s: 2.2.1
> ejb ws report authorization failures as 500 internal server error
> -----------------------------------------------------------------
>
> Key: GERONIMO-4738
> URL: https://issues.apache.org/jira/browse/GERONIMO-4738
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: webservices
> Affects Versions: 2.2
> Reporter: David Jencks
> Fix For: 2.2.1
>
>
> If you secure an ejb web service with ejb security constraints cxf reports authorization failures as 500 internal server error and doesn't log much useful. Axis2 logs the auth failure and IIRC reports 401 or 403.
> I think this can be reproduced by removing the ejb-jar.xml security constraints from testsuite/webservices-testsuite/jaxws-tests/jaxws-ejb-sec/src/main/resources/META-INF/ejb-jar.xml
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (GERONIMO-4738) ejb ws report authorization failures
as 500 internal server error
Posted by "viola.lu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
viola.lu closed GERONIMO-4738.
------------------------------
Resolution: Fixed
Without ejb-jar.xml,jaxws-ejb-sec still runs well. So close it.
> ejb ws report authorization failures as 500 internal server error
> -----------------------------------------------------------------
>
> Key: GERONIMO-4738
> URL: https://issues.apache.org/jira/browse/GERONIMO-4738
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: webservices
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: Delos Dai
> Fix For: 2.2.1
>
>
> If you secure an ejb web service with ejb security constraints cxf reports authorization failures as 500 internal server error and doesn't log much useful. Axis2 logs the auth failure and IIRC reports 401 or 403.
> I think this can be reproduced by removing the ejb-jar.xml security constraints from testsuite/webservices-testsuite/jaxws-tests/jaxws-ejb-sec/src/main/resources/META-INF/ejb-jar.xml
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-4738) cxf ejb ws report authorization
failures as 500 internal server error
Posted by "Jarek Gawor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jarek Gawor updated GERONIMO-4738:
----------------------------------
Summary: cxf ejb ws report authorization failures as 500 internal server error (was: csf ejb ws report authorization failures as 500 internal server error)
> cxf ejb ws report authorization failures as 500 internal server error
> ---------------------------------------------------------------------
>
> Key: GERONIMO-4738
> URL: https://issues.apache.org/jira/browse/GERONIMO-4738
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: webservices
> Affects Versions: 2.2
> Reporter: David Jencks
>
> If you secure an ejb web service with ejb security constraints cxf reports authorization failures as 500 internal server error and doesn't log much useful. Axis2 logs the auth failure and IIRC reports 401 or 403.
> I think this can be reproduced by removing the ejb-jar.xml security constraints from testsuite/webservices-testsuite/jaxws-tests/jaxws-ejb-sec/src/main/resources/META-INF/ejb-jar.xml
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-4738) ejb ws report authorization
failures as 500 internal server error
Posted by "Jarek Gawor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jarek Gawor updated GERONIMO-4738:
----------------------------------
Summary: ejb ws report authorization failures as 500 internal server error (was: cxf ejb ws report authorization failures as 500 internal server error)
EJB authorization failures are reported as 500 errors with CXF and Axis2.
> ejb ws report authorization failures as 500 internal server error
> -----------------------------------------------------------------
>
> Key: GERONIMO-4738
> URL: https://issues.apache.org/jira/browse/GERONIMO-4738
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: webservices
> Affects Versions: 2.2
> Reporter: David Jencks
>
> If you secure an ejb web service with ejb security constraints cxf reports authorization failures as 500 internal server error and doesn't log much useful. Axis2 logs the auth failure and IIRC reports 401 or 403.
> I think this can be reproduced by removing the ejb-jar.xml security constraints from testsuite/webservices-testsuite/jaxws-tests/jaxws-ejb-sec/src/main/resources/META-INF/ejb-jar.xml
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (GERONIMO-4738) ejb ws report authorization
failures as 500 internal server error
Posted by "Delos Dai (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Delos Dai resolved GERONIMO-4738.
---------------------------------
Resolution: Fixed
As David said, if security problem happens, it's better to return HTTP 403 instead of 500.
The fix is in revision #950429. It covers two cases.
1) If transport-guarantee is not NONE, access web service using HTTP will cause 403. It's the same behavior as that in G 2.1.5
2) If any security problem happens in accessing web service, client will also get HTTP 403 status and detailed error message.
> ejb ws report authorization failures as 500 internal server error
> -----------------------------------------------------------------
>
> Key: GERONIMO-4738
> URL: https://issues.apache.org/jira/browse/GERONIMO-4738
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: webservices
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: Delos Dai
> Fix For: 2.2.1
>
>
> If you secure an ejb web service with ejb security constraints cxf reports authorization failures as 500 internal server error and doesn't log much useful. Axis2 logs the auth failure and IIRC reports 401 or 403.
> I think this can be reproduced by removing the ejb-jar.xml security constraints from testsuite/webservices-testsuite/jaxws-tests/jaxws-ejb-sec/src/main/resources/META-INF/ejb-jar.xml
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (GERONIMO-4738) ejb ws report authorization
failures as 500 internal server error
Posted by "Delos Dai (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Delos Dai reassigned GERONIMO-4738:
-----------------------------------
Assignee: Delos Dai
> ejb ws report authorization failures as 500 internal server error
> -----------------------------------------------------------------
>
> Key: GERONIMO-4738
> URL: https://issues.apache.org/jira/browse/GERONIMO-4738
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: webservices
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: Delos Dai
> Fix For: 2.2.1
>
>
> If you secure an ejb web service with ejb security constraints cxf reports authorization failures as 500 internal server error and doesn't log much useful. Axis2 logs the auth failure and IIRC reports 401 or 403.
> I think this can be reproduced by removing the ejb-jar.xml security constraints from testsuite/webservices-testsuite/jaxws-tests/jaxws-ejb-sec/src/main/resources/META-INF/ejb-jar.xml
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.