Hey I hope someone can help tried for last 2 days to figure out what I am doing wrong. I want a programmatic login to a JAX-RS api and to use @RolesAlowed annotations on my endpoints.
I login fine and can see the principal set in the login endpoint also I get a JSESSIONID. But when I call the /info/ping endpoint that is annotated with @RolesAllowed("USER") it throws UnauthenticatedException. If I remove the annotation then the req.getUserPrincipal() is null event though the cookie set.
Any help would be appreciated.
I am using jboss as 7
setup as follows:
<security-domain name="api" cache-type="default">
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/MysqlDS"/>
<module-option name="principalsQuery" value="select password from SiteUser where email=?"/>
<module-option name="rolesQuery" value="select role, 'Roles' from user_roles where email=?"/>
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="base64"/>
<module-option name="unauthenticatedIdentity" value="GUEST"/>
<!-- Login Prompt -->
And the login code :
public Response login(@FormParam("email") String email, @FormParam("password") String password,
@Context HttpServletRequest req) {
String username = email;
//only login if not already logged in...
if(req.getUserPrincipal() == null) {
try {
req.login(username, password);
catch(ServletException e){
return Response.status(Response.Status.UNAUTHORIZED).build();
} else {
req.getServletContext().log("Skip logged because already logged in: "+ username);
req.getServletContext().log("Authentication Demo: successfully retrieved User Profile from DB for " + username);
return Response.ok().build();
Finally the security check:
public String ping(@Context HttpServletRequest req){
return "{\"status\":\"ok\"}";
Principal in Servlet 3.0 is session scoped. Make sure the second request is mapped/using the same session (use the JSESSIONID).