8 Replies Latest reply on Dec 11, 2009 1:29 AM by srini.ragu

    Securing the WebServices

    srini.ragu

      I am using POJO based web services, I would like to use the pages.xml for restricting access to certain specific URLs.


      As the seam documentation mentions that view-id in the pages.xml need not to be a faces request, it can be any GET request. I assume the restrictions I place in the pages.xml will be applied.


      But the restriction, or any actions that I specify in the pages.xml is never invoked.


      I applied the ContextFilter to that path /services/* in where context my webservices are exposed under.


      it initializes all the seam components and the context, but it doesn't  invoke the action I specified in the pages.xml


      I am not sure this is the right way to do it, please advice if you have done this before.

        • 1. Re: Securing the WebServices
          shane.bryzak

          You can't use pages.xml to secure web service requests.  You should instead be using @Restrict to control access to your web services.  Look at the AuctionService class in the seambay example to see how it's done.

          • 2. Re: Securing the WebServices
            srini.ragu

            When I apply the @Restrict to a POJO seam component, which is exposed as web service endpoint the restrictions were never applied, however they work normally when applied to ejb endpoints.


            Isn't they supported for POJO components? I assume as the JBoss WS sees the end point as normal Java class, than as a seam component thats is the reason for the interceptor being not kicked in. I manully added the interceptor to the component but didn't helped.



            @WebService
            @HandlerChain(file="standard-jaxws-endpoint-config.xml")
            @Name("wsService")
            @Restrict("#{s:hasRole('admin')}")
            @Interceptor(within=WSSecurityInterceptor.class)
            public class ServiceImpl implements ServiceInterface
            {



            The only other way I could think of is to do it by API call over the identity component in a custom filter/ or code directly inside the POJO endpoint implementation.


            Any ideas or thoughts on achieving this will be helpful.


            Thanks,

            • 3. Re: Securing the WebServices
              shane.bryzak

              Could you please raise this in JIRA?  We definitely need to have support for interceptors with POJO web services.  In the meantime, you could perform your security checks manually (Identity.instance().checkRestriction()) or by simply writing your web service as a facade, which calls Seam components (that are annotated with @Restrict) to do the work.

              • 4. Re: Securing the WebServices
                srini.ragu
                • 5. Re: Securing the WebServices
                  nicokiki

                  Hi Srinivasan,
                  Were you able to use POJO based webservices with Seam?


                  Regards,


                  Nico

                  • 6. Re: Securing the WebServices
                    srini.ragu

                    Yes, I have used a facade to handle security restrictions before invoking the actual service.


                    I haven't checked if using @Restrict directly on the seam webservice component is supported yet.

                    • 7. Re: Securing the WebServices
                      nicokiki

                      Hi Srinivasan,


                      Would it be ok with you if I ask you to post the web.xml configuration, components.xml or any other configuration file that you had to use?


                      And where did you put the file standard-jaxws-endpoint-config.xml in your .ear?



                      I'm stucked with this problem and tried different ways and none of them work...




                      Regards,


                      Nico

                      • 8. Re: Securing the WebServices
                        srini.ragu

                        Sorry I have moved from that project a year back, I dont have the source code with me.


                        You may have to manually check the restriction, before you start the actual business process.


                        You can use a JAX-WS interceptor as well.