On your first question, I'm not certain myself but am about to start looking into this myself. I imagine the client will need access to the certificate authority store much like a browser has its list of CAs.

On your second question: yes. A WAR file is created if you don't have one yourself. If you use the annotations of "@PortComponent" you can set some of the basis info there. Then a web.xml and jboss-web.xml are created for you. However, I found it best to create your own WAR with those files (in the standard WEB-INF location, of course) so you can handle security. It took me a little while to figure out that the generate WAR does not seem (and I'd love if someone knew how to do it) to generate the <security-constraint> and <login-config> nodes required for authentication. It will only generate the <servlet and <servlet-mapping> nodes. The "@PortComponent" annotation has parameters which would lead one to believe (e.g. authMethod) it would create the security nodes as well, but after many days of stuggle, I never could get it to.

Be sure you define your WAR in your EAR's META-INF/application.xml file. Otherwise, a generated WAR might still be created.

Since the "ServiceEndpointID" is nicely generated via the generated WAR, you may consider letting it generate it for you the first time and coping the web.xml and jboss-web.xml to your own project for packaging (just go to your JBOSS_HOME/server/SERVER_INSTANCE/tmp/deploy directory and look for your ear.

If you don't care about authentication then I suppose you could just go with the generated one.

I'm somewhat new to JBossWS myself, so take my advice with a gain of salt :-)

It seems that jbossws-1.0.3 fixed this: @PortComponent settings seems to be correctly mapped to <transport-guarantee> and <auth-method> entries in the generated web.xml.

I have another problem anyway: how can I control the <virtual-host> entry in the generated jboss-web.xml?

I didn't find any useful annotation about it. Besides, I would prefer to control this by an xml file since I'm using stuff like this <virtual-host>${it.myorg.mycustomer.host}</virtual-host> in order to get staging simple.

Also, I would prefer to avoid building a web app for this because:

1) I would have to sync the site's web.xml everytime I add/remove an exposed bean;
2) I'm not shure that jbossws is able to "detect" the fact I'm deploing a war for my WSes, so I guess I would get two publications: one under the ${jboss.bind.address} virtual host, and the other under the wanted one (${it.myorg.mycustomer.host}).

Regards,

"sursha" wrote:
Hi,
I have deployed ejb 3.0 exposed as web service in JBOSS 4.0.4.
I use annotations to expose it as web service. I'm able to access the
web service using HTTP. How do I secure it to access using HTTPS?

Could you please elaborate on what do you mean by saying"I am able to access web service from http'? I am learning JBossWS and from what I understand, it can be accessed using HTTP post, not HTTP get. I can see the SOAP request and response from Web service explorer in Eclipse. Are you accessing the web service from a browser? Are you using POST in your client code? If yes, how do you use it?

I appreciate your help.