I am using JBoss 6 and JBossWS, but the client wil be in C#. I created a simpled web service and I want to allow only https.
I did these steps:
1)keytool.exe -genkey -alias Tomcat -keyalg RSA -storepass bigsecret -keypass bigsecret -dname "cn=localhost"
2)Update the server.xml with this block:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/.keystore"
sslProtocol = "TLS" keystorePass="bigsecret"/>
3)I exported the self-signed public key from HOME/.keystore execute the following:
D:\>keytool.exe -export -rfc -alias Tomcat -file Tomcat.cer -storepass bigsecret -keypass bigsecret
4)I created the custom keystore for the client by importing Tomcat.cer:
D:>keytool.exe -import -noprompt -trustcacerts -alias Tomcat -file Tomcat.cer -keystore CustomKeystore -storepass littlesecret
5)I update web.xml with this block:
<security-constraint>
<web-resource-collection>
<web-resource-name>app-name</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Now it's working perfectlly when I try to test. It's not alowed to acces by http, only by https.
The only problem is that every person who tried to access the https://mycomputer:8443/myproject/mywsd?wsdl is allowed.
My intention is that only who I send the keystore or the .cer inside the keystore could be access the webservice and the to see the wsdl file.
What I should do? Is that a configuration in JBoss6 to prevent the wsdl file to be downloaded?