Declarative Security on Webservice Methods

Similar Messages

• Error during JNDI lookup Accessing Remote EJB (access to web service restricted using declarative security model)

  Hello everyone,
  I developed a Web Service prototype accessing remote EJB using the EJB
  control with special syntax in the jndi-name attribute: @jws:ejb
  home-jndi-name="t3://10.10.245.70:7131/AccountDelegatorEJB"
  Everything works fine, but I get an error when I restrict access to my web
  service with a declarative security model by implementing steps provided in
  help doc:
  - Define the web resource you wish to protect
  - Define which security role is required to access the web resource
  - Define which users are granted the required security role
  - Configure WebLogic Server security for my web service(Compatibility
  Security/Users)
  I launch the service by entering the address in a web browser. When prompted
  to accept the digital certificate, click Yes, when prompted for network
  authentication information, enter username and password, navigate to the
  Test Form tab of Test View, invoke the method by clicking the button and I
  get the following exception:
  <error>
  <faultcode>JWSError</faultcode>
  <faultstring>Error during JNDI lookup from
  jndi:t3://10.10.245.70:7131/AccountDelegatorEJB[Lookup failed for
  name:t3://10.10.245.70:7131/AccountDelegatorEJB]</faultstring>
  <detail>
  <jwErrorDetail> weblogic.jws.control.ControlException: Error during JNDI
  lookup from jndi:t3://10.10.245.70:7131/AccountDelegatorEJB[Lookup failed
  for name:t3://10.10.245.70:7131/AccountDelegatorEJB] at
  weblogic.knex.control.EJBControlImpl.acquireResources(EJBControlImpl.java:27
  8) at
  weblogic.knex.context.JwsInternalContext.acquireResources(JwsInternalContext
  .java:220) at
  weblogic.knex.control.ControlHandler.invoke(ControlHandler.java:260) at
  ibas.AccountControl.getTransactionHistory(AccountControl.ctrl) at
  ibas.GetSecure.retrieveVisaHistoryTxn(GetSecure.jws:64) </jwErrorDetail>
  </detail>
  </error>
  I have a simple Hello method as well in my WebService (which is also
  restricted) and it works fine, but remote EJB access doesn't. I tested my
  prototype on Weblogic 7.2 and 8.1 platforms - same result.
  Is that a bug or I am missing some additional configuration in order to get
  that working. Has anyone seen similar behavior? Is there a known resolution?
  Or a suggested way to work around the problem?
  Thank you.
  Andre

  Andre,
  It would be best if this issue is handled as an Eval Support case. Please
  BEA Customer Support at http://support.beasys.com along with the required
  files, and request that an Eval support case be created for this issue.
  Thanks
  Raj Alagumalai
  WebLogic Workshop Support
  "Andre Shergin" <[email protected]> wrote in message
  news:[email protected]...
  Anurag,
  I removed "t3", still get an error but a different one (Unable to create
  InitialContext:null):
  <error>
  <faultcode>JWSError</faultcode>
  <faultstring>Error during JNDI lookup from
  jndi://secuser1:[email protected]:7131/AccountDelegatorEJB[Unable to
  create InitialContext:null]</faultstring>
  <detail>
  <jwErrorDetail> weblogic.jws.control.ControlException: Error during JNDI
  lookup from
  jndi://secuser1:[email protected]:7131/AccountDelegatorEJB[Unable to
  create InitialContext:null] at
  weblogic.knex.control.EJBControlImpl.acquireResources(EJBControlImpl.java:27
  8) at
  weblogic.knex.context.JwsInternalContext.acquireResources(JwsInternalContext
  .java:220) at
  weblogic.knex.control.ControlHandler.invoke(ControlHandler.java:260) at
  ibas.AccountControl.getTransactionHistory(AccountControl.ctrl) at
  ibas.GetVisaHistoryTransactions.getVisaHistoryTxn(GetVisaHistoryTransactions
  .jws:67) </jwErrorDetail>
  </detail>
  </error>
  Note: inter-domain communication is configured properly. The Web Service to
  remote EJB works fine without a declarative security.
  Any other ideas?
  Thank you for your help.
  Andre
  "Anurag" <[email protected]> wrote in message
  news:[email protected]...
  Andre,
  It seems you are using the URL
  jndi:t3://secuser1:[email protected]:7131/AccountDelegatorEJB
  whereas you should not be specifying the "t3:" protocol.
  The URL should be like
  jndi://secuser1:[email protected]:7131/AccountDelegatorEJB
  Please do let me know if you see any issues with this.
  Note that this will only allow you to access remote EJBs in the same WLS
  domain. For accessing EJBs on another domain, you need to configure
  inter-domain communication by
  following a few simple steps as mentioned at
  http://e-docs.bea.com/wls/docs81/ConsoleHelp/jta.html#1106135. This link has
  been provided in the EJB Control Workshop documentation.
  Regards,
  Anurag
  "Andre Shergin" <[email protected]> wrote in message
  news:[email protected]...
  Raj,
  I tried that before, it didn't help. I got similar error message:
  <error>
  <faultcode>JWSError</faultcode>
  <faultstring>Error during JNDI lookup from
  jndi:t3://secuser1:[email protected]:7131/AccountDelegatorEJB[Lookup
  failed for
  name:t3://secuser1:[email protected]:7131/AccountDelegatorEJB]</faultstr
  ing>
  <detail>
  <jwErrorDetail> weblogic.jws.control.ControlException: Error during JNDI
  lookup from
  jndi:t3://secuser1:[email protected]:7131/AccountDelegatorEJB[Lookup
  failed for
  name:t3://secuser1:[email protected]:7131/AccountDelegatorEJB] at
  weblogic.knex.control.EJBControlImpl.acquireResources(EJBControlImpl.java:27
  8) at
  weblogic.knex.context.JwsInternalContext.acquireResources(JwsInternalContext
  .java:220) at
  weblogic.knex.control.ControlHandler.invoke(ControlHandler.java:260) at
  ibas.AccountControl.getTransactionHistory(AccountControl.ctrl) at
  ibas.GetSecure.retrieveVisaHistoryTxn(GetSecure.jws:64) </jwErrorDetail>
  </detail>
  </error>
  Anything else should I try?
  P.S. AccountDelegatorEJB, the remote EJB my Web Service calls is NOTaccess
  restricted.
  I hope there is a solution.
  Thanks,
  Andre
  "Raj Alagumalai" <[email protected]> wrote in message
  news:[email protected]...
  Andre,
  Can you try using the following url with username and password
  jndi://username:password@host:7001/my.resource.jndi.object ?
  once you add webapp level security, the authenticated is the user who
  invokes the EJB.
  http://e-docs.bea.com/workshop/docs81/doc/en/workshop/guide/controls/ejb/con
  CreatingANewEJBControl.html?skipReload=true
  has more info on using remote EJB's.
  Hope this helps.
  Thanks
  Raj Alagumalai
  WebLogic Workshop Support
  "Alla Resnik" <[email protected]> wrote in message
  news:[email protected]...
  Hello everyone,
  I developed a Web Service prototype accessing remote EJB using the EJB
  control with special syntax in the jndi-name attribute: @jws:ejb
  home-jndi-name="t3://10.10.245.70:7131/AccountDelegatorEJB"
  Everything works fine, but I get an error when I restrict access to my
  web
  service with a declarative security model by implementing steps
  provided
  in
  help doc:
  - Define the web resource you wish to protect
  - Define which security role is required to access the web resource
  - Define which users are granted the required security role
  - Configure WebLogic Server security for my web service(Compatibility
  Security/Users)
  I launch the service by entering the address in a web browser. Whenprompted
  to accept the digital certificate, click Yes, when prompted for
  network
  authentication information, enter username and password, navigate tothe
  Test Form tab of Test View, invoke the method by clicking the buttonand
  I
  get the following exception:
  <error>
  <faultcode>JWSError</faultcode>
  <faultstring>Error during JNDI lookup from
  jndi:t3://10.10.245.70:7131/AccountDelegatorEJB[Lookup failed for
  name:t3://10.10.245.70:7131/AccountDelegatorEJB]</faultstring>
  <detail>
  <jwErrorDetail> weblogic.jws.control.ControlException: Error during
  JNDI
  lookup from jndi:t3://10.10.245.70:7131/AccountDelegatorEJB[Lookupfailed
  for name:t3://10.10.245.70:7131/AccountDelegatorEJB] at
  weblogic.knex.control.EJBControlImpl.acquireResources(EJBControlImpl.java:27
  8) at
  weblogic.knex.context.JwsInternalContext.acquireResources(JwsInternalContext
  .java:220) at
  weblogic.knex.control.ControlHandler.invoke(ControlHandler.java:260)at
  ibas.AccountControl.getTransactionHistory(AccountControl.ctrl) at
  ibas.GetSecure.retrieveVisaHistoryTxn(GetSecure.jws:64)</jwErrorDetail>
  </detail>
  </error>
  I have a simple Hello method as well in my WebService (which is also
  restricted) and it works fine, but remote EJB access doesn't. I testedmy
  prototype on Weblogic 7.2 and 8.1 platforms - same result.
  Is that a bug or I am missing some additional configuration in order
  to
  get
  that working. Has anyone seen similar behavior? Is there a knownresolution?
  Or a suggested way to work around the problem?
  Thank you.
  Andre

• Problem in passing xstring data from abap to webservice method.

  Hi,
  I want to upload the document from ABAP to Microsoft SharePoint. So for that i have created the webservice in .net for uploading the document in SharePoint.
  Now in Abap i have consumed this service by creating proxy class. The web service has one method as Upload_File which takes byte[] as paramerter, so in wsdl file this parameter get converted into s:base64Binary and in abap it get converted into RAWSTRING.
  Now, when i try to upload the file with very small content (less than 54 character mean the rawstring variable which contain the file content has length less than 108 ), file gets uploaded with no problem, but when the file has content more than 54 character, it give error like "SOAP:1.032 SRT: Wrong Content-Type and empty HTTP-Body received"
  And also one thing when i have created the proxy class it gives warning that "The XSD type base64Binary does not exactly correspond to the ABAP type RAWSTRING"
  What can be the problem? how to pass file content to external web service?
  Thanks,
  Vikram

  Hi Nick,
  Yes, when i declare the data type as string in XSD it get converted into xsd:string.
  I have already tried using String as parameter in WebService method instead of byte[].
  But then in .Net, I need to write some code for converting the string variable ( which content the file content in hexadecimal format) into byte array and for that there is a method provided by .Net framework but when I use it, it write the hexadecimal content in file.
  So I have written my own code for converting hexadecimal content which string variable content to byte array.
  By doing this, it working fine and all type of file getting uploaded in SharePoint but when I try to open the file only .TXT file get open properly and other type of file give me some error.

• Configure security-role and method permission for EJB 3.0 using Jdev 11g

  The EJB 3.0 session bean created by Jdev 11g EJB wizard does not have ejb-jar.xml. Where and how can security-role and method permission for the EJB be configured?
  For example,
  <assembly-descriptor>
  <security-role>
  <role-name>managers</role-name>
  </security-role>
  <method-permission>
  <role-name>managers</role-name>
  <method>
  <ejb-name>Employees</ejb-name>
  <method-name>setSalary</method-name>
  <method-params>
  <method-param>java.lang.Long</method-param>
  </method-params>
  </method>
  </method-permission>
  </assembly-descriptor>

  user516954,
  By default annotations are used. However, you can create a new descriptor and that will take presidence over any declared annotation.
  --Ric                                                                                                                                                                                                                                                                                                                               

• Declarative Security, Authorization and SSL

  Hi all, I'm trying to find the most elegant and simple way to restrict access to my web content and I'd like to have your opinion on how to make it better or how other solve similar tasks.
  The situation is:
  My web-site (Tomcat 5.5/JBoss) has 50% of pages with access restricted by declarative security in deployment descriptor.
  I use web container authorization (BASIC or FORM-based).
  Many of my prospective web-clients have old PCs with old web-browsers, so I consider usage of SSL everywhere is not a good idea. Neither DIGEST authentication is.
  Therefore, I want to secure with SSL only the stage of authorization. I realize that in this case the restricted content is not secure, but the information is not confidential. Only user's login and password are.
  How should I do that?
  The problem is that web container intersepts the request to the restricted content and tries to authorize the client via BASIC or FORM methods, but they are not secure, as the page where interception happens may be accessed not via SSL! And, therefore, all authorization interaction with client is not encrypted too.
  I found an ugly trick - in FORM-based authentication I changed the action of my login form to "https://j_security_check" - this ensures that login/password are sent via encrypted channel, but upon successfull authentication Tomcat brings you back not to the page originally requested: "http://mypage.jsp", but to "httpS://mypage.jsp"!!! I.e it does not switch back from SSL to unencrypted connection. In order to avoid this I can assign a special servlet filter to all pages with the restricted, but unencrypted contents, so that this filter will change httpS to http, but this is quite an ugly way, isn't it?
  Can you share some better ideas how to organize this?
  I just don't want to write my own security system while we have one allready.

  Hello,
  I use Tomcat 5.5.4 or 5.5.6 - not sure, home and work... or the other way around.
  Yes you would need to - perhaps it's time to use a header include? They are useful for this kind of thing. Anyway, it does not seem to be flawless; have you tested it on a couple of your pages?
  In my test setup I:
  (1) attempt to access a restricted resource as an unauthenticated user with http
  (2) get redirected to login page which tests for https i.e. isSecure() and redirects to itself with https if test fails
  (3) i login and get redirected to the resource which tests for http and redirects to itself using http if test fails.
  In theory its straightforward... but the redirects that are caused by failed protocol tests don't always 'succeed'; I get left with a blank screen! Of course when omitting these test everything works dandy. Still, hitting refresh a couple times then brings up the page (login or resource) that is expected... which leads me to believe authentication is not failing nor is the attempt to invalidate the session. I say this as I read somewhere that some balls-up causes the browser to get stuck in the j_security_check servlet (or something like that) but I can't remember what causes this. Perhaps you've also read this and can refresh my memory.
  Best regards,
  D

• Reference HttpServlet object from webservice method ...

  How to reference HttpServlet object from webservice method to access HTTP header?
  Thanks
  Marcel

  You are correct.
  I know that SOAP messages can be send not only via HTTP protocol.
  Our solution is restricted to use only HTTP protocol for communication between client and server by customer, because there is implemented transparent proxy for users authorization and strong security of communication via HTTP protocol. Authorization server transparently modify HTTP request header with user identity (DN from user certificate - with this PKI solution it is not possible to use standard SSL because certificate is proprietary enhanced and cannot be accessed in standard way). That is why I need access HTTP request header.
  Why I want to use webservices? I thing that webservice is flexible and perspective technology for integration and asynchronous communication between web clients and application (it is really more effective add new info in web page asynchronously from webservice than reload whole page).
  Thanks
  Marcel

• Can programmatic security work without declarative security?

  Hi,
  I have the case where there is no declarative security in the deployment descriptor and where the User Agent spontaneously provides credentials (through the Authorization header). Can the getUserPrincipal method return "null" in this case? In the javadoc for that method there is no constraint then that the user should be authenticated.
  The use-case is an implementation of WebDAV ACLs. Those can be expressed in terms of "unauthenticated". This means that depending on the requested resource a method may require authentication or not. Declarative security doesn't work in this case, because then authentication would always be required.
  When an ACL requires authentication, the implementation returns the status code 401 itself.
  Regards,
  Werner.

  VersaLink 7500 User Guide.pdf
  Having taken a quick look see in the  User Guide, it seems the 7500 is WPA capable; there's one way to find out for certain.
  Message Edited by bamboo on 09-16-2008 05:16 AM

• Problem while invoking webservice-method in client-code

  Hi,
  I had written webservice-client-code (using uddi-ext.jar, as i am using uddi for publishing webservices.) which is invoking webservice method successfully with complex datatypes(both for return type and input paramters).
  But while calling following webservice-method from my client-code:
  public ComplexType[] getData(String[] p_str1, String[] p_str2)
  it is throwing exception
  The Exception is:
  [ERROR] - 27 Mar 2007 12:34:38 -failed to invoke operation 'getData' due to an error in the soap layer (SAAJ); nested exception is: Message[failed to deserialize xml:weblogic.xml.schema.binding.DeserializationException: mapping lookup failure. type=['java:language_builtins.lang']:ArrayOfString schema context=TypedSchemaContext{javaType=[Ljava.lang.String;}]
  Although I had done correct registration of mapping of ArrayOfString in client-code:
  registry = m_Service.getTypeMappingRegistry();
                 m_TypeMapping = registry.getTypeMapping(SOAPConstants.URI_NS_SOAP_ENCODING );
                 m_TypeMapping.register( ArrayOfStringHolder.class,
  new QName( "java:language_builtins.lang", "ArrayOfString" ),
  new ArrayOfStringCodec(),
  new ArrayOfStringCodec());
  But some how it doesnt works.
  I had searched on google as well but didnt find any reliable solutions.
  Please advice.
  Edited by meetmrdeepak at 03/27/2007 2:43 AM
  Edited by meetmrdeepak at 03/27/2007 2:45 AM

  See item A.1 of the [RMI FAQ|http://java.sun.com/j2se/1.5.0/docs/guide/rmi/faq.html].

• Call a  Webservice method from DotNetApplication

  Hi all,
  I have created One web service using Axis. My WebServices are below:
  import java.util.*;
  public class NHLService {
    HashMap standings = new HashMap();
    public NHLService() {
      // NHL - part of the standings as per 04/07/2002
      standings.put("atlantic/philadelphia", "1");
      standings.put("atlantic/ny islanders", "2");
      standings.put("atlantic/new jersey", "3");
      standings.put("central/detroit", "1");
      standings.put("central/chicago", "2");
      standings.put("central/st.louis", "3");
    public String getCurrentPosition(String division, String team) {
      String p = (String)standings.get(division + '/' + team);
      return (p == null) ? "Team not found" : p;
  }Its name is NHLService.jws. Then I run this service in my localhost like this "http://localhost:8080/axis/NHLService.jws" It is running and show that
  There is a Web Service here
  Click to see the WSDL Now I can view the wsdl. Now I want to call this webservice method from DotNet Application.Please any one knows that can you guide me the steps.
  Thanks in Advance,
  Raj

  but i don't understand a thing...
  when i create a static stub client i link with the config-wsdl file the path of my webservices wdsl and the client compile and run well...
  why with the servlet i had to link .class file or jar file??
  thanks a loto

• How to call a WebService method using HttpsURLConnection?

  Hi,
  I want to know how i could use HttpsURLConnection to call a WebService method.
  I can use the following:
  String endpoint = "https://xyz:8443/axis/services/MSecurity";
  System.setProperty("javax.net.ssl.keyStore", keyStorepath);
  System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
  System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);
  System.setProperty("javax.net.ssl.trustStore", trustStorePath);
  System.setProperty("javax.net.ssl.trustStoreType", "JKS");
  System.setProperty("javax.net.ssl.trustStorePassword", trustpass);
  //Call Web Service
  URL url = new URL(endpoint);
  MSecuritySoapBindingStub service = new MSecuritySoapBindingStub(url, null);
  //get list of people
  String[] vo = service.getVO();
  for (int i = 0; i < vo.length; i++) {
  System.out.println(vo);
  However, loading my cert. this way is not flexible. Therefore, I am using SSLContext to initialize my keystore and truststore and then I am using the following to connect to my webservice:
  SSLContext sc = SSLContext.getInstance("SSLv3");
  sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
  SSLSocketFactory ssf = sc.getSocketFactory();
  URL url = new URL(endpoint);
  HttpsURLConnection htp = (HttpsURLConnection) url.openConnection();
  htp.setSSLSocketFactory(ssf);
  However, I do not know how I could use the "htp" object to call the getVO() method above.

  Use Apache Axis to do SOAP in Java.
  Nobody can just mail you the code. You first have to create java source files from the web service via its WSDL file.

• How to use generic webservice methods in java

  Hi,
  I am working on jdk1.5 and axis web service client version 1.3.
  I am calling webservice which developed in wcf service using .net ,Extesion like .svc?asmx
  input of webservice method is generic like list<IEmployee>
  When i try to call in cleint side , it is showing like object[] array.
  but it has to show like list<object>
  May i know solution for this.
  Thanks,
  Murali

  Hi konanki,
  Web services are using SOAP as protocol and SOAP has been designed for interoperability between computers installed with different platforms : Java, .Net, PHP, ...
  As List<IEmployee> or List<Object> are specific to Java language, they are translated in a way understandable for other platforms. Just have a look to your WSDL file.

• Not able to pass cyclic XML schema type to a webservice method

  I have a webservice method called getData(GetDataDocument
  gDoc).
  I constructed a request with object (which exactly satisfy
  the XML schema def) to call up the getData(). [From my java client
  also I did the same; but the java classes have been generated using
  apache's xmlBeans; this works fine with the same kind of request].
  But the soap request constructed from flex does not get
  generated with all the values that I set in the request object.
  On further observation, I found out that if the schema
  involves cyclic elements, the soap request is not getting
  constructed as desired.
  My schema def:
  <complexType name="PredicateBagType">
  <sequence>
  <choice>
  <element maxOccurs="unbounded" minOccurs="0"
  name="PredicateBag" type="tns:PredicateBagType"/>
  <element maxOccurs="unbounded" minOccurs="0"
  name="BinaryPredicate" type="tns:BinaryPredicateType"/>
  <element maxOccurs="unbounded" minOccurs="0"
  name="UnaryPredicate" type="tns:UnaryPredicateType"/>
  </choice>
  </sequence>
  <attribute name="contextNode"
  type="tns:contextNodeIDType"/>
  <attribute default="false" name="negate"
  type="boolean"/>
  <attribute name="type"
  type="tns:PredicateBagTypeType"/>
  </complexType>
  Note that the PredicateBagType may contain another
  PredicateBagType.
  I have constructed my request with objects in my flex
  application . Though I have set the BinaryPredicate object in my
  PredicateBag object, the soap request constructed looks like this
  which is not desired
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="
  http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsd="
  http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="
  http://www.w3.org/2001/XMLSchema-instance">
  <SOAP-ENV:Body>
  <tns:get_Data maxPrograms="0" personalInfoUse="false"
  xmlns:tns="urn:tva:transport:2005">
  <tns:QueryConstraints>
  <tns:PredicateBag contextNode="1" negate="false"
  type="AND"/>
  </tns:QueryConstraints>
  <tns:RequestedTables>
  <tns:Table type="ProgramInformationTable"/>
  </tns:RequestedTables>
  </tns:get_Data>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>.
  If I comment out the PredicateBagType choice in my xsd, the
  flex application constructs the soap request looks like this.
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="
  http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsd="
  http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="
  http://www.w3.org/2001/XMLSchema-instance">
  <SOAP-ENV:Body>
  <tns:get_Data maxPrograms="0" personalInfoUse="false"
  xmlns:tns="urn:tva:transport:2005">
  <tns:QueryConstraints>
  <tns:PredicateBag contextNode="ProgramInformation"
  negate="false" type="AND">
  <tns:BinaryPredicate fieldID="Genre" fieldValue="Fiction"
  test="contains"/>
  </tns:PredicateBag>
  </tns:QueryConstraints>
  <tns:RequestedTables>
  <tns:Table type="ProgramInformationTable"/>
  </tns:RequestedTables>
  </tns:get_Data>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  This request holds good. But I cannot comment out the
  PredicateBagType from my choice. Is this an issue with soap request
  construction issue in Flex..?

  Yes, <choice> is just "partial" supported in Flex 2 .
  read this
  link
  for partial and not supported tags
  Partially supported XML Schema structures
  The following XML Schema structures or structure attributes
  are only partially implemented in this release:
  <choice>
  <all>
  <union>
  regards
  kcell

• BPM process interactive activity(JSP) - external webservice method interac

  I am using Oracle BPM studio 10.3.1.0.
  I have one external web service published on glassfish application server, I have introspected it in my BPM process using its WSDL.
  Now one of my BPM process interactive activity is there, which is represented by one JSP, I am giving some input to my JSP.
  I want this input to be passed to the web service method as a parameter, and it should fetch the output, so basically I want to invoke the web service method, could you please guide me how to do it?
  Thanks & Regards
  Ashish

  Hy Ashih
  I dont know if this is best way to do that, but I have a similar situation here, and I'm using AJAX do call the webservice method by BPM and retrieve data.
  Something like this:
  1 - Create the XMLHttpRequest() object in your jsp (if you need I have the entire code)
  2 - Create the a JavaScript method for to call the OBPM method in your component
  function mymethod(arg1, arg2, arg3)
  xmlhttp.onreadystatechange=function()
                                                    if( xmlhttp.readyState==4 )
                                                         document.getElementById("AnyDIV").innerHTML = xmlhttp.responseText;
       var resp = "<f:invokeUrl var='YourComponenteName' methodName='YourMethodName'/>";
  //Incude how many args your need here
       resp+="&arg1=" + arg1;
       resp+="&arg2=" + arg2;
       resp+="&arg3=" + arg3;
       xmlhttp.open("POST",resp,true);
       xmlhttp.send(null);
  3 - You'll need a div html tag called "AnyDIV" to receive the BPM answer
  4 - On you BPM component, in YourMethodName method (needs to be ServerSide = no), create two args, the first is httpRequest type (name request), and the second is httpResponse type (name response) (fuego lib)
  5 - Type the code below in your BPM method to send info back to the JSP
  //getting the args
  String arg1 = request.getParameter(string : "arg1");
  String arg2 = request.getParameter(string : "arg2");
  String arg3     = request.getParameter(string : "arg3");
  //Do the webservice call here, prepare the html answer and put it into an string variable
  strReturn = "bla bla bla";
  //Send the anwser back to the jsp
  response.bodyTextContent(arg1 : strReturn);
  Or you can do this using xml answer and deal with the tags with javascript
  that's it

• Https through load balancer breaks declarative security

  Hello,
  My desired setup is for a Jboss cluster serving requests behind a load balancer. Also I intend to use declarative security on the deployed units and have ssl client side authentication.
  I need someone to please confirm/deny the following statements:
  1) ssl has to be negotiated by the load balancer, whether hardware or software based (apache with mod_proxy/mod_jk).
  2) if using apache with mod_jk it is possible to configure it to send the client side authentication details (certificate) in such a way that jboss may enforce declarative authorization as if it had done the authentication itself. This also means that the programatic means to get the authenticated user identity described in the ejb and servlet specs will still work.
  3) there is no hardware load balancer that supports the behavior described in 2), which means that with a hardware load balancer it is impossible to use declarative authorization enforcement.
  After a whole lot testing and digging up for info, I'm quite desperate to solve this question, so if someone could help me I would be most thankfull.
  Nuno

  After further research, I think the best course of action will be to create a VLAN for the zone behind the BigIP and then create the corresponding interface in the vlan and zone. Using this links as my references in case anyone is interested. I'll post what I come up with.
  https://blogs.oracle.com/stw/entry/using_ip_instances_with_vlans
  https://blogs.oracle.com/stw/entry/solaris_zones_and_networking_common
  http://docs.oracle.com/cd/E19253-01/816-4554/816-4554.pdf # AdministeringVirtualLocalAreaNetworks
  http://docs.oracle.com/cd/E19053-01/ldoms.mgr11/820-4913-10/820-4913-10.pdf # Assign VLANs to a Virtual Switch and Virtual
  Network Device

• Do I need to add new users under sun-web for declarative security to work?

  Hello,
  Do I need to add a <principal-name> element under sun-web.xml whenever a new user registers on my website? I am planning to use declarative security for my website, so I went ahead and created a custom realm that uses JDBC to get users information from MySQL. To do a simple test I added a new user under a new group that does not have a mapping under sun-web.xml. However, web.xml has the needed security-constraint and security-role elements that define the role and the protected resources. The problem is that when I deploy the application under SJSAS PE9 I get the following warning: "No Principals mapped to Role [jdev]". Does that mean I have to add each and every use to sun-web.xml for the declarative security to work?

  Good question. I am having the same problem with my LDAP realm. Funny thing is that the exact same approach worked fine and dandy with Sun AS 8. Sounds to me like something broke under AS 9 ...