5 Replies Latest reply on Nov 8, 2006 2:58 PM by qi liu

    Access ejb 3.0 exposed web service using https

    Sureshbabu Thyvalappil Newbie

      Hi,
      I have deployed ejb 3.0 exposed as web service in JBOSS 4.0.4.
      I use annotations to expose it as web service. I'm able to access the
      web service using HTTP. How do I secure it to access using HTTPS?
      One more question..When ejb 3.0 is exposed as web service using
      annotation, is there a .WAR file getting generated behind the scenes and
      getting deployed to tomcat web container ? Or is the exposing web service
      is handled by the ejb container?

      Suresh

        • 1. Re: Access ejb 3.0 exposed web service using https
          Colin Boatwright Newbie

          On your first question, I'm not certain myself but am about to start looking into this myself. I imagine the client will need access to the certificate authority store much like a browser has its list of CAs.

          On your second question: yes. A WAR file is created if you don't have one yourself. If you use the annotations of "@PortComponent" you can set some of the basis info there. Then a web.xml and jboss-web.xml are created for you. However, I found it best to create your own WAR with those files (in the standard WEB-INF location, of course) so you can handle security. It took me a little while to figure out that the generate WAR does not seem (and I'd love if someone knew how to do it) to generate the <security-constraint> and <login-config> nodes required for authentication. It will only generate the <servlet and <servlet-mapping> nodes. The "@PortComponent" annotation has parameters which would lead one to believe (e.g. authMethod) it would create the security nodes as well, but after many days of stuggle, I never could get it to.

          Be sure you define your WAR in your EAR's META-INF/application.xml file. Otherwise, a generated WAR might still be created.

          Since the "ServiceEndpointID" is nicely generated via the generated WAR, you may consider letting it generate it for you the first time and coping the web.xml and jboss-web.xml to your own project for packaging (just go to your JBOSS_HOME/server/SERVER_INSTANCE/tmp/deploy directory and look for your ear.

          If you don't care about authentication then I suppose you could just go with the generated one.

          I'm somewhat new to JBossWS myself, so take my advice with a gain of salt :-)

          • 2. Re: Access ejb 3.0 exposed web service using https
            Sureshbabu Thyvalappil Newbie

            Thank you for your response. It was very helpful. I think I can stick with the generated war file for my current project.
            I've another question. Do you know where I can keep user defined property files external to the application? I know Websphere has a working directory. working directory is like a startup directory.

            • 3. Re: Access ejb 3.0 exposed web service using https
              Giampaolo Tomassoni Newbie

              It seems that jbossws-1.0.3 fixed this: @PortComponent settings seems to be correctly mapped to <transport-guarantee> and <auth-method> entries in the generated web.xml.

              I have another problem anyway: how can I control the <virtual-host> entry in the generated jboss-web.xml?

              I didn't find any useful annotation about it. Besides, I would prefer to control this by an xml file since I'm using stuff like this <virtual-host>${it.myorg.mycustomer.host}</virtual-host> in order to get staging simple.

              Also, I would prefer to avoid building a web app for this because:

              1) I would have to sync the site's web.xml everytime I add/remove an exposed bean;
              2) I'm not shure that jbossws is able to "detect" the fact I'm deploing a war for my WSes, so I guess I would get two publications: one under the ${jboss.bind.address} virtual host, and the other under the wanted one (${it.myorg.mycustomer.host}).

              Regards,

              • 4. Re: Access ejb 3.0 exposed web service using https
                Alessio Soldano Newbie

                 

                "sursha" wrote:
                Hi,
                I have deployed ejb 3.0 exposed as web service in JBOSS 4.0.4.
                I use annotations to expose it as web service. I'm able to access the
                web service using HTTP. How do I secure it to access using HTTPS?


                Apart from doing what other guys said about securing the endpoint, I think you should check that your tomcat+ssl connector is properly configured in order to https to work.
                bye
                Alessio Soldano
                http://www.javalinux.it/blogs/

                • 5. Re: Access ejb 3.0 exposed web service using https
                  qi liu Newbie

                  Could you please elaborate on what do you mean by saying"I am able to access web service from http'? I am learning JBossWS and from what I understand, it can be accessed using HTTP post, not HTTP get. I can see the SOAP request and response from Web service explorer in Eclipse. Are you accessing the web service from a browser? Are you using POST in your client code? If yes, how do you use it?

                  I appreciate your help.