2 Replies Latest reply on Mar 29, 2007 2:27 PM by peterj

    Accessing a secure WSDL

    peterj
    peterj Mar 25, 2007 6:48 PM

      I have implemented the Echo web service, and client, described at http://jbws.dyndns.org/mediawiki/index.php/JAX-WS_User_Guide#Bottom-Up_.28Using_wsprovide.29. Once those were working, I added BASIC authentication to the web service by adding the following to the web.xml:

      <security-constraint>
 <web-resource-collection>
 <web-resource-name>Secure Echo</web-resource-name>
 <url-pattern>/Echo</url-pattern>
 </web-resource-collection>
 <auth-constraint>
 <role-name>friend</role-name>
 </auth-constraint>
 </security-constraint>
 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>JBossWS</realm-name>
 </login-config>
 <security-role>
 <role-name>friend</role-name>
 </security-role>


      and I added a jboss-web.xml as follows: 

      <?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
 <security-domain>java:/jaas/JBossWS</security-domain>
</jboss-web>


      After deploying the web service, I can access the WSDL through a browser after I enter the user name and password in the pop-up dialog box.

      However, I then ran into several problems:

      1) How do I run wsconsume against this WSDL? There does not appear to be any mechanism to pass the user name and password to wsconsume.

      2) I modified my client to set the user name and password on the BindingProvider before I call echo(), but the client fails earlier on because that same BindingProvider information is not used when the WSDL is obtained. I looked at the org.jboss.test.ws.jaxws.samples.context.WebServiceContextJSETestCase class, but it cheats - it gets the WSDL from the file system, not via HTTP.

      I tried adding the annotation @WebContext(secureWSDLAccess = false) to the Echo class, and deployed it again, but even though the sever.log indicates that it picked up this setting, my browser still wants a user name and password to access the WSDL, and of course wsconsume and the client still fail (with 401 errors).

      So my question: how do I go about setting the user name and password when requesting the WSDL via wsconsume or client code?

      JBoss AS 5.0.0 beta2 (pulled on Mar 10)
      JBoss WS 1.2.0.GA

      • 4050 Views
      • Tags:
        • 1. Re: Accessing a secure WSDL
          jason.greene
          jason.greene Mar 28, 2007 2:45 PM (in response to peterj)

          This is an outstanding request to support secured wsdl on the client:
          http://jira.jboss.com/jira/browse/JBWS-939

          @WebContext(secureWSDLAccess) is only used for EJB3 endpoints where you do not have control over the web.xml file.

          You can accomplish this using the war endpoints by just only securing POST and not GET.

          Also if you are using JBoss 5, I would recommend using either the version included with it when you check it out of svn, or just grab jbossws trunk. Even though 1.2.0 should work, the APIs in 5 are not yet stable, so latest is best.

          -Jason

            • Actions
          • 2. Re: Accessing a secure WSDL
            peterj
            peterj Mar 29, 2007 2:27 PM (in response to peterj)

            Thanks, Jason, securing only POST requests worked and the client can once again access the WSDL.

              • Actions