5 Replies Latest reply on Nov 4, 2012 8:09 PM by spyhunter99

    MessageContext.WSDL_DESCRIPTION needs authentication?

    sfcoy

      Hi there,

       

      We have a server-side javax.xml.ws.handler.LogicalHandler in which we grab a URI reference to the WSDL using

       

      {code:java}URI wsdlURI = (URI)messageContext.get(MessageContext.WSDL_DESCRIPTION);{code}

       

      The associated web service is secured using standard servlet security mechanisms.

       

      The webservice itself declares a wsdlLocation:

       

      {code:java}

      @WebService(serviceName = "AutoResponseService",

                  portName = "AutoResponseServicePort",

                  endpointInterface = "com.somecompany.ws.autoresponse.AutoResponseService",

                  wsdlLocation = "WEB-INF/wsdl/AutoResponse.wsdl",

                  targetNamespace = "http://ws.somcompany.com/AutoResponseService")

      @HandlerChain(file = "HandlerConfig.xml")

      public class AutoResponseServiceImpl implements AutoResponseService {

      ...

      }{code}

       

      It seems that the JBossWS implementation returns an external http based URI to the WSDL which needs to be authenticated in order to be read.

       

      Other JAX-WS implementations do not do this, but in fact return a URI to the WSDL provided by the wsdlLocation attribute of the @WebService as shown above. This can safely be read without the need for (superfluous) authentication.

       

      How can we portably get access to the WSDL in a handler without the need to authenticate?

       

      Thanks

        • 1. Re: MessageContext.WSDL_DESCRIPTION needs authentication?
          spyhunter99

          that's an easy one. always reference a local wsdl file when creating proxies. The wsdl can be local on disk or in a WEB-INF folder or whatever.

           

          The rest of this reply is my opinion.

           

          The fact that almost all the jax-ws stacks require a wsdl xml file (either locally or from a remote http server) in order to do anything is stupid. The developer already had access to the file when he/she wrote the code. If the wsdl changes, the code will probably stop working anyhow, so what's the point? Endpoint redirection?

          • 2. Re: MessageContext.WSDL_DESCRIPTION needs authentication?
            sfcoy

            spyhunter99 wrote:

             

            that's an easy one. always reference a local wsdl file when creating proxies. The wsdl can be local on disk or in a WEB-INF folder or whatever.

             

            ...

            We in fact do this everywhere now. But this is the server implementation, not the client.

             

            ...

             

            The fact that almost all the jax-ws stacks require a wsdl xml file (either locally or from a remote http server) in order to do anything is stupid. The developer already had access to the file when he/she wrote the code. If the wsdl changes, the code will probably stop working anyhow, so what's the point? Endpoint redirection?

            Indeed

            • 3. Re: MessageContext.WSDL_DESCRIPTION needs authentication?
              spyhunter99

              Alrighty, for service implementations:

              If you're deploying an EJB (standalone jar file in the deploy folder) - include your wsdl and all supporting metadata files in the JAR file's WEB-INF/wsdl folder of the jar.

              if you're deploying a service within a WAR file - include your wsdl and all supporting metadata files in the WAR file's WEB-INF/wsdl folder of the jar.

               

              Modify the implementation class's @WebService annotation

               

              @WebService(serviceName = "MyService", name = "MyService", targetNamespace = "MyNamespace", wsdlLocation = "WEB-INF/wsdl/MyWsdl.wsdl")

               

               

              Note: If you're using servlet container style authentication (http basic, digest, etc), such as with a WAR, clients will have to authenticate if they do not already possess the wsdl/xsds locally.

              To work around this, add a directory to your WAR that does not require authentication and copy your wsdl's there. Then tell your clients to use that wsdl. Revise the endpoints in the unprotected dir to have the correct endpoints listed.

               

              Bonus point: include this with your automated build process (a la jenkins)

              • 4. Re: MessageContext.WSDL_DESCRIPTION needs authentication?
                sfcoy

                spyhunter99 wrote:

                 

                ...

                 

                Modify the implementation class's @WebService annotation

                 

                @WebService(serviceName = "MyService", name = "MyService", targetNamespace = "MyNamespace", wsdlLocation = "WEB-INF/wsdl/MyWsdl.wsdl")

                 

                ...

                If you read the question you will see that this is in fact what I have done.

                • 5. Re: MessageContext.WSDL_DESCRIPTION needs authentication?
                  spyhunter99

                  There is no portable solution. There's a few ways to do it in a stack specific method but the most generic way (assuming anonymous wsdl access) is to use an http client to perform an http get message to the invocation point with a ?Wsdl.

                   

                  I was doing something similar, a jaxws handler that detected one way transactions. This too is not easily known in a portable way and thus access to the wsdl is really the most reliable method to do so.