3 Replies Latest reply on Nov 22, 2006 1:45 PM by Mike Osganian

    Securing POJO Web Service in 4.0.3 SP1

    Sanjay Parmar Newbie

      I have created one POJO Webservice and everything works fine but I run into issues as soon as I try to secure the Web Service. Here are the steps I am following to secure the Web Service.

      -Modified the web.xml to specify the contraints.
      ==============================

      <servlet-name>InfoServiceServlet</servlet-name>
      <servlet-class>com.info.webservice.InfoServiceImpl</servlet-class>

      <servlet-mapping>
      <servlet-name>InfoServiceServlet</servlet-name>
      <url-pattern>/InfoService</url-pattern>
      </servlet-mapping>
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Protected Area</web-esource-name>
      <url-pattern>/InfoService</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>InfoUser</role-name>
      </auth-constraint>
      </security-constraint>

      - Modified the client code to pass the username/password.
      ==============================

      ((Stub) bookQuery)._setProperty(Stub.USERNAME_PROPERTY, "username");
      ((Stub) bookQuery)._setProperty(Stub.PASSWORD_PROPERTY, "password");



      When I run the client, I get following errors on the client side.

      ------------
      HTTP transport error: com.sun.xml.messaging.saaj.SOAPExceptionImpl: Invalid Cont
      ent-Type:text/html. Is this an error message instead of a SOAP response?
      at com.sun.xml.rpc.client.http.HttpClientTransport.invoke(HttpClientTran
      sport.java:148)
      at com.sun.xml.rpc.client.StreamingSender._send(StreamingSender.java:96)

      at com.zafe.webservice.ZafeInfoService_Stub.isServerAlive(ZafeInfoServic
      e_Stub.java:276)
      at com.zafe.test.webservice.TestInfoService.testIsServerAlive(TestInfoSe
      rvice.java:264)
      at com.zafe.test.webservice.TestInfoService.main(TestInfoService.java:67
      )

      CAUSE:
      com.sun.xml.messaging.saaj.SOAPExceptionImpl: Invalid Content-Type:text/html. Is
      this an error message instead of a SOAP response?
      at com.sun.xml.messaging.saaj.soap.MessageImpl.identifyContentType(Messa
      geImpl.java:581)
      at com.sun.xml.messaging.saaj.soap.MessageImpl.(MessageImpl.java:2
      54)
      at com.sun.xml.messaging.saaj.soap.ver1_1.Message1_1Impl.(Message1
      _1Impl.java:49)
      at com.sun.xml.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl.crea
      teMessage(SOAPMessageFactory1_1Impl.java:43)
      at com.sun.xml.rpc.client.http.HttpClientTransport.readResponse(HttpClie
      ntTransport.java:241)
      at com.sun.xml.rpc.client.http.HttpClientTransport.invoke(HttpClientTran
      sport.java:113)
      at com.sun.xml.rpc.client.StreamingSender._send(StreamingSender.java:96)

      at com.zafe.webservice.ZafeInfoService_Stub.isServerAlive(ZafeInfoServic
      e_Stub.java:276)
      at com.zafe.test.webservice.TestInfoService.testIsServerAlive(TestInfoSe
      rvice.java:264)
      at com.zafe.test.webservice.TestInfoService.main(TestInfoService.java:67
      )

      - I also have modified the jboss-web.xml to specify the security domain.

      Any idea why I am running into this issue? If I remove the security contraint from web.xml, everything works fine.

      Cheers,
      Sanjay

        • 1. Re: Securing POJO Web Service in 4.0.3 SP1
          Sanjay Parmar Newbie

          Alright. I found the problem. I was getting the above error becuase of FORM based authentication in web.xml. I changed that to BASIC authentication and everything is working fine now.

          <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>Protected Realm</realm-name>
          </login-config>

          Cheers,
          Sanjay

          • 2. Re: Securing POJO Web Service in 4.0.3 SP1
            Mike Osganian Newbie

            Hi Sanjay,

            I am having a similar problem that I was hoping you could help me with. How do you have your client setup to access your web services wsdl files? Do you bundle the wsdl files on the client?

            Currently I have the client accessing my wsdl files by going to: https://localhost:8443/service/MyService?wsdl

            My problem is when I secure my POJO web service in web.xml like:

             <security-constraint>
             <web-resource-collection>
             <web-resource-name>SecureServer</web-resource-name>
             <url-pattern>/service/*</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
             </web-resource-collection>
            <auth-constraint>
             <role-name>USER</role-name>
            </auth-constraint>
             <user-data-constraint>
             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
             </user-data-constraint>
             </security-constraint>
            


            The problem is since my wsdl url is protected just like the service itself. So I end up getting the following error on the client:

             [java] Caused by: java.io.IOException: Server returned HTTP response code:
            401 for URL: https://localhost:8443/service/MyService?wsdl
             [java] at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1153)
             [java] at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
             [java] at java.net.URL.openStream(URL.java:1007)
             [java] at org.jboss.ws.metadata.wsdl.WSDLDefinitionsFactory.getDocument(WSDLDefinitionsFactory.java:181)
            


            Thanks for any help,
            Mike

            • 3. Re: Securing POJO Web Service in 4.0.3 SP1
              Mike Osganian Newbie

              What are people doing out there about their wsdl files? Do they need to be protected? If so how do you create a Service on the client if you need the url to the wsdl file? If not then where do you place the wsdl files since to protect your web service you have to protect http://localhost/service/MyService and the wsdl file is accessed via http://localhost/service/MyService?wsdl

              Also, can you have set an empty password like:

              stub._setProperty(Stub.PASSWORD_PROPERTY, "");

              Seems like it doesn't even try to authenicate if you don't provide a password. Is there a way to open it up to allow empty passwords?

              Thanks again,
              Mike