5 Replies Latest reply on Jun 14, 2006 9:04 AM by shadens

Secure endpoint without secure WSDL

acxjbertr May 31, 2006 12:27 PM

I have secured my Web Service endpoint (JSR-109 EJB) with basic authentication, but that requires me to enter the authentication information to access the WSDL which is unacceptable. Is there a way to secure the endpoint without securing the WSDL?

Here is my jboss.xml:

<!DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS 4.0//EN" "http://www.jboss.org/j2ee/dtd/jboss_4_0.dtd">
<jboss>
 <security-domain>java:/jaas/JBossWS</security-domain> <!-- This links to conf/login-config.xml in jboss point to a security domain -->
 <enterprise-beans>
 <session>
 <ejb-name>JBossTest2</ejb-name>
 <jndi-name>JBossTest2</jndi-name>
 <resource-ref>
 <description>Database Reference to DataSource</description>
 <res-ref-name>jdbc/jbossTest2DB</res-ref-name>
 <jndi-name>java:/jbossTest2DB</jndi-name>
 </resource-ref>
 <port-component>
 <port-component-name>JBossTest2Endpoint</port-component-name>
 <auth-method>BASIC</auth-method>
 <port-component-uri>/jbosstest2/1.0</port-component-uri>
 </port-component>
 </session>
 </enterprise-beans>
</jboss>

1. Re: Secure endpoint without secure WSDL

thomas.diesler Jun 12, 2006 12:08 AM (in response to acxjbertr)

They way we generate the web.xml when there are EJB security meta data will have to change.

http://jira.jboss.com/jira/browse/JBWS-978
Actions
2. Re: Secure endpoint without secure WSDL

acxjbertr Jun 12, 2006 9:33 AM (in response to acxjbertr)

Yeah, I noticed a generated web.xml in the tmp directory where the ear was expanded. Thanks for incorporating this into 1.0.2.
Actions
3. Re: Secure endpoint without secure WSDL

new4jboss Jun 12, 2006 9:58 AM (in response to acxjbertr)
I have a POJO endpoint and in the jboss-web.xml defined

<webservice-description> <webservice-description-name>yourservicename</webservice-description-name> <wsdl-publish-location>file:../server/all/deploy/wsdls.war</wsdl-publish-location> </webservice-description>

These tags are also available in jboss.xml so it should work all the same.

wsdls.war is an exploded webapp deployment with empty web.xml and jboss-web.xml defined as follows

<jboss-web> <context-root>wsdls</context-root> </jboss-web>

this allows your client to access the wsdl via http://host.port/wsdls/servicename.wsdl

Hope this may be of any help in your particular case.

Cheers
Actions
4. Re: Secure endpoint without secure WSDL

thomas.diesler Jun 12, 2006 9:44 PM (in response to acxjbertr)

Excellent work around
Actions

5. Re: Secure endpoint without secure WSDL

shadens Jun 14, 2006 9:04 AM (in response to acxjbertr)

Hi!
I have same problem. I've installed jbossWS version 1.0.1.
So, I'm using easy way of annotations. I'm following examples.
Is there a way to around problem as new4jboss suggest? (I can't understand as adapt his example).
This is my session bean that show a web method:

//standard JSR181 annotations
@WebService(name = "EndpointInterface", targetNamespace = "http://org.jboss.ws/samples/jsr181ejb", serviceName = "Risposta")
@SOAPBinding(style = SOAPBinding.Style.RPC)

// standard EJB3 annotations
@Remote(Hello.class)
@RolesAllowed("friend")


// jboss propriatary annotations
@RemoteBinding(jndiBinding = "/ejb3/EJB3EndpointInterface")
@PortComponent(authMethod="BASIC", transportGuarantee="NONE")
@SecurityDomain("JBossWS")
public @Stateless class HelloBean implements Hello {

 @WebMethod
 public String reply(String voice) {
 return "Hello " + voice;
 }

}

And his interface:

@Remote
public interface Hello {
 public String reply(String voice);

}

Anybody has a example that show how client login to web service? :(

Thanks!

Go to original post