3 Replies Latest reply on Nov 22, 2006 1:45 PM by osganian

Securing POJO Web Service in 4.0.3 SP1

parmarsanjay Oct 10, 2006 1:16 AM

I have created one POJO Webservice and everything works fine but I run into issues as soon as I try to secure the Web Service. Here are the steps I am following to secure the Web Service.

-Modified the web.xml to specify the contraints.
==============================

<servlet-name>InfoServiceServlet</servlet-name>
<servlet-class>com.info.webservice.InfoServiceImpl</servlet-class>

<servlet-mapping>
<servlet-name>InfoServiceServlet</servlet-name>
<url-pattern>/InfoService</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-esource-name>
<url-pattern>/InfoService</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>InfoUser</role-name>
</auth-constraint>
</security-constraint>

- Modified the client code to pass the username/password.
==============================

((Stub) bookQuery)._setProperty(Stub.USERNAME_PROPERTY, "username");
((Stub) bookQuery)._setProperty(Stub.PASSWORD_PROPERTY, "password");

When I run the client, I get following errors on the client side.

------------
HTTP transport error: com.sun.xml.messaging.saaj.SOAPExceptionImpl: Invalid Cont
ent-Type:text/html. Is this an error message instead of a SOAP response?
at com.sun.xml.rpc.client.http.HttpClientTransport.invoke(HttpClientTran
sport.java:148)
at com.sun.xml.rpc.client.StreamingSender._send(StreamingSender.java:96)

at com.zafe.webservice.ZafeInfoService_Stub.isServerAlive(ZafeInfoServic
e_Stub.java:276)
at com.zafe.test.webservice.TestInfoService.testIsServerAlive(TestInfoSe
rvice.java:264)
at com.zafe.test.webservice.TestInfoService.main(TestInfoService.java:67
)

CAUSE:
com.sun.xml.messaging.saaj.SOAPExceptionImpl: Invalid Content-Type:text/html. Is
this an error message instead of a SOAP response?
at com.sun.xml.messaging.saaj.soap.MessageImpl.identifyContentType(Messa
geImpl.java:581)
at com.sun.xml.messaging.saaj.soap.MessageImpl.(MessageImpl.java:2
54)
at com.sun.xml.messaging.saaj.soap.ver1_1.Message1_1Impl.(Message1
_1Impl.java:49)
at com.sun.xml.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl.crea
teMessage(SOAPMessageFactory1_1Impl.java:43)
at com.sun.xml.rpc.client.http.HttpClientTransport.readResponse(HttpClie
ntTransport.java:241)
at com.sun.xml.rpc.client.http.HttpClientTransport.invoke(HttpClientTran
sport.java:113)
at com.sun.xml.rpc.client.StreamingSender._send(StreamingSender.java:96)

at com.zafe.webservice.ZafeInfoService_Stub.isServerAlive(ZafeInfoServic
e_Stub.java:276)
at com.zafe.test.webservice.TestInfoService.testIsServerAlive(TestInfoSe
rvice.java:264)
at com.zafe.test.webservice.TestInfoService.main(TestInfoService.java:67
)

- I also have modified the jboss-web.xml to specify the security domain.

Any idea why I am running into this issue? If I remove the security contraint from web.xml, everything works fine.

Cheers,
Sanjay

1. Re: Securing POJO Web Service in 4.0.3 SP1

parmarsanjay Oct 10, 2006 2:16 AM (in response to parmarsanjay)

Alright. I found the problem. I was getting the above error becuase of FORM based authentication in web.xml. I changed that to BASIC authentication and everything is working fine now.

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Protected Realm</realm-name>
</login-config>

Cheers,
Sanjay
Actions

2. Re: Securing POJO Web Service in 4.0.3 SP1

osganian Nov 22, 2006 12:37 PM (in response to parmarsanjay)

Hi Sanjay,

I am having a similar problem that I was hoping you could help me with. How do you have your client setup to access your web services wsdl files? Do you bundle the wsdl files on the client?

Currently I have the client accessing my wsdl files by going to: https://localhost:8443/service/MyService?wsdl

My problem is when I secure my POJO web service in web.xml like:

 <security-constraint>
 <web-resource-collection>
 <web-resource-name>SecureServer</web-resource-name>
 <url-pattern>/service/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
<auth-constraint>
 <role-name>USER</role-name>
</auth-constraint>
 <user-data-constraint>
 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
 </user-data-constraint>
 </security-constraint>

The problem is since my wsdl url is protected just like the service itself. So I end up getting the following error on the client:

 [java] Caused by: java.io.IOException: Server returned HTTP response code:
401 for URL: https://localhost:8443/service/MyService?wsdl
 [java] at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1153)
 [java] at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
 [java] at java.net.URL.openStream(URL.java:1007)
 [java] at org.jboss.ws.metadata.wsdl.WSDLDefinitionsFactory.getDocument(WSDLDefinitionsFactory.java:181)

Thanks for any help,
Mike

3. Re: Securing POJO Web Service in 4.0.3 SP1

osganian Nov 22, 2006 1:45 PM (in response to parmarsanjay)

What are people doing out there about their wsdl files? Do they need to be protected? If so how do you create a Service on the client if you need the url to the wsdl file? If not then where do you place the wsdl files since to protect your web service you have to protect http://localhost/service/MyService and the wsdl file is accessed via http://localhost/service/MyService?wsdl

Also, can you have set an empty password like:

stub._setProperty(Stub.PASSWORD_PROPERTY, "");

Seems like it doesn't even try to authenicate if you don't provide a password. Is there a way to open it up to allow empty passwords?

Thanks again,
Mike
Actions

Go to original post