2 Replies Latest reply on Feb 6, 2007 11:40 AM by tremalnaik

    Unscuring wsdl definition

    tremalnaik
    tremalnaik Feb 6, 2007 7:47 AM

      Hello, I'm using jboss 4.0.2

      I have deployed a simple web service, trying now to secure it. I added the following definitions in the web.xml

       <security-constraint>
 <web-resource-collection>
 <web-resource-name>Protected service</web-resource-name>
 <description>no description</description>
 <url-pattern>/TestService</url-pattern>
 </web-resource-collection>
 <auth-constraint>
 <role-name>BITAStarUser</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>

 <login-config>
 <auth-method>BASIC</auth-method>
 </login-config>

 <security-role>
 <description>Intranet Bita Star user</description>
 <role-name>BITAStarUser</role-name>
 </security-role>


      It protects all request matching /TestService, but it means that it protects the page /TestService?wsdl i.e. the wsdl file as well.

      I'd like to avoid this, otherwise my simple test client will get a 401 error: 

      String urlstr = "https://cor319:8443/BitaStarWebServices/TestService?wsdl";
String argument = "claves";
System.out.println("Contacting webservice at " + urlstr);
URL url = new URL(urlstr);
QName qname = new QName("https://ws.web.bitastar.bitaplus.com/", "TestService");
ServiceFactory factory = ServiceFactory.newInstance();
Service service = factory.createService(url, qname);
WebServicesTestInt wst = (WebServicesTestInt) service.getPort(WebServicesTestInt.class);


      Server returned HTTP response code: 401 for URL: https://cor319.cor-fs.com:8443/BitaStarWebServices/TestService?wsdl

      I gave a look to the famous cap 13 of the Jboss WS guide on securing the endpoints, but it looks it's doing something too much for me: I don't need to define ejbs. I'm using a Jaas module configured in login-config.xml and jboss-web.xml looks like: 
      <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">
<jboss-web>
 <security-domain>java:/jaas/bitastarRealm</security-domain>
</jboss-web>


      do you have any suggestions? Do you think what I'm doing has some sense? Can you point me to the right resources, please?



      • 1839 Views
      • Tags:
        • 1. Re: Unscuring wsdl definition
          tremalnaik
          tremalnaik Feb 6, 2007 8:44 AM (in response to tremalnaik)

          I forgot to say that mine is a JAX-RPC service endpoint

            • Actions
          • 2. Re: Unscuring wsdl definition
            tremalnaik
            tremalnaik Feb 6, 2007 11:40 AM (in response to tremalnaik)

            If I proceed like this:

            BasicAuthenticator ba = new BasicAuthenticator("user_a","claves");
Authenticator.setDefault(ba);
String urlstr = "https://cor319.cor-fs.com:8443/BitaStarWebServices/TestService?wsdl";
String argument = "claves";
System.out.println("Contacting webservice at " + urlstr);
URL url = new URL(urlstr);
QName qname = new QName("https://ws.web.bitastar.bitaplus.com/", "TestService");
ServiceFactory factory = ServiceFactory.newInstance();
Service service = factory.createService(url, qname);
WebServicesTestInt wst = (WebServicesTestInt) service.getPort(WebServicesTestInt.class);


            I'm able to authenticate, but I'd like to be sure this is a good method (i didn't even need to set the stub login and password properties)


              • Actions