Unscuring wsdl definition
tremalnaik Feb 6, 2007 7:47 AMHello, I'm using jboss 4.0.2
I have deployed a simple web service, trying now to secure it. I added the following definitions in the web.xml
<security-constraint> <web-resource-collection> <web-resource-name>Protected service</web-resource-name> <description>no description</description> <url-pattern>/TestService</url-pattern> </web-resource-collection> <auth-constraint> <role-name>BITAStarUser</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <description>Intranet Bita Star user</description> <role-name>BITAStarUser</role-name> </security-role>
It protects all request matching /TestService, but it means that it protects the page /TestService?wsdl i.e. the wsdl file as well.
I'd like to avoid this, otherwise my simple test client will get a 401 error:
String urlstr = "https://cor319:8443/BitaStarWebServices/TestService?wsdl"; String argument = "claves"; System.out.println("Contacting webservice at " + urlstr); URL url = new URL(urlstr); QName qname = new QName("https://ws.web.bitastar.bitaplus.com/", "TestService"); ServiceFactory factory = ServiceFactory.newInstance(); Service service = factory.createService(url, qname); WebServicesTestInt wst = (WebServicesTestInt) service.getPort(WebServicesTestInt.class);
Server returned HTTP response code: 401 for URL: https://cor319.cor-fs.com:8443/BitaStarWebServices/TestService?wsdl
I gave a look to the famous cap 13 of the Jboss WS guide on securing the endpoints, but it looks it's doing something too much for me: I don't need to define ejbs. I'm using a Jaas module configured in login-config.xml and jboss-web.xml looks like:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd"> <jboss-web> <security-domain>java:/jaas/bitastarRealm</security-domain> </jboss-web>
do you have any suggestions? Do you think what I'm doing has some sense? Can you point me to the right resources, please?