I am using JBoss 6 and JBossWS, but the client wil be in C#. I created a simpled web service and I want to allow only https.

I did these steps:

1)keytool.exe -genkey -alias Tomcat -keyalg RSA -storepass bigsecret -keypass bigsecret -dname "cn=localhost"

2)Update the server.xml with this block:

  <Connector protocol="HTTP/1.1" SSLEnabled="true"

           port="8443" address="${jboss.bind.address}"

           maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"

           emptySessionPath="true"

           scheme="https" secure="true" clientAuth="false"

           keystoreFile="${jboss.server.home.dir}/conf/.keystore"

           sslProtocol = "TLS" keystorePass="bigsecret"/>

3)I exported the self-signed public key from HOME/.keystore execute the following:
D:\>keytool.exe -export -rfc -alias Tomcat -file Tomcat.cer -storepass bigsecret -keypass bigsecret

4)I created the custom keystore for the client by importing Tomcat.cer:
D:>keytool.exe -import -noprompt -trustcacerts -alias Tomcat -file Tomcat.cer -keystore CustomKeystore -storepass littlesecret

5)I update web.xml with this block:

    <security-constraint>

        <web-resource-collection>

            <web-resource-name>app-name</web-resource-name>

            <url-pattern>/*</url-pattern>

        </web-resource-collection>

        <user-data-constraint>

            <transport-guarantee>CONFIDENTIAL</transport-guarantee>

        </user-data-constraint>

    </security-constraint>

Now it's working perfectlly when I try to test. It's not alowed to acces by http, only by https.

The only problem is that every person who tried to access the https://mycomputer:8443/myproject/mywsd?wsdl is allowed.

My intention is that only who I send the keystore or the .cer inside the keystore could be access the webservice and the to see the wsdl file.

What I should do? Is that a configuration in JBoss6 to prevent the wsdl file to be downloaded?