3 Replies Latest reply on Nov 16, 2006 4:38 AM by thomas.diesler

    WS basic auth only for post requests

    waperboy
    waperboy Oct 27, 2006 7:43 AM

      I've created a web service, and added basic authentication according to the user-guide chapter 13 (http://labs.jboss.com/portal/jbossws/user-guide/en/html/secure-ejb.html), but it results in basic auth being activated for both GET and POST. I want access to the wsdl to be public.

      The web service is defined using webservices.xml, jboss.xml, and ejb-jar.xml, and is contained in a jar file.

      I notice in the web.xml file generated by jboss on deploy, that both GET and POST is specified in the security-constraint.

      Any ideas on how I can make access to the wsdl (GET requests) public, and only the ws-methods (POST requests) authenticated?

      /Per

      webservices.xml:

       <webservice-description>
 <webservice-description-name>MyService</webservice-description-name>
 <wsdl-file>META-INF/wsdl/MyService.wsdl</wsdl-file>
 <jaxrpc-mapping-file>META-INF/MyService-mapping.xml</jaxrpc-mapping-file>
 <port-component>
 <port-component-name>MyService</port-component-name>
 <wsdl-port>MyServicePort</wsdl-port>
 <service-endpoint-interface>com.test.ws.MyServiceEndpoint</service-endpoint-interface>
 <service-impl-bean>
 <ejb-link>MyServiceBean</ejb-link>
 <servlet-link></servlet-link>
 </service-impl-bean>
 </port-component>
 </webservice-description>


      jboss.xml: 
      <jboss>
 <security-domain>java:/jaas/my-security-domain</security-domain>
 <enterprise-beans>
 <session>
 <ejb-name>MyServiceBean</ejb-name>
 <port-component>
 <port-component-name>MyService</port-component-name>
 <port-component-uri>/ws/MyService</port-component-uri>
 <auth-method>BASIC</auth-method>
 </port-component>
 </session>
 </enterprise-beans>
</jboss>


      ejb-jar.xml: 
       <enterprise-beans>
 <session>
 <ejb-name>MyServiceBean</ejb-name>
 <service-endpoint>com.test.ws.MyServiceEndpoint</service-endpoint>
 <ejb-class>com.test.ws.MyServiceSLSB</ejb-class>
 <session-type>Stateless</session-type>
 <transaction-type>Container</transaction-type>
 <security-role-ref>
 <role-name>@ROLE_EXPORT@</role-name>
 </security-role-ref>
 <security-role-ref>
 <role-name>@ROLE_IMPORT@</role-name>
 </security-role-ref>
 </session>
 </enterprise-beans>

 <assembly-descriptor>
 <security-role>
 <role-name>@ROLE_IMPORT@</role-name>
 </security-role>
 <security-role>
 <role-name>@ROLE_EXPORT@</role-name>
 </security-role>
 <method-permission>
 <role-name>@ROLE_IMPORT@</role-name>
 <method>
 <ejb-name>MyServiceBean</ejb-name>
 <method-name>submit</method-name>
 </method>
 </method-permission>
 <method-permission>
 <role-name>@ROLE_EXPORT@</role-name>
 <method>
 <ejb-name>MyServiceBean</ejb-name>
 <method-name>fetch</method-name>
 </method>
 </method-permission>
 </assembly-descriptor>


      • 2793 Views
      • Tags:
        • 1. Re: WS basic auth only for post requests
          thomas.diesler
          thomas.diesler Nov 8, 2006 10:34 PM (in response to waperboy)

          There is good reason, why we protect access to the wsdl.

          Please see

          http://jira.jboss.org/jira/browse/JBWS-723

          and vote for making this configurable.

            • Actions
          • 2. Re: WS basic auth only for post requests
            alesj
            alesj Nov 10, 2006 6:05 AM (in response to waperboy)

            Is there a way to currently get a BASIC auth secured .wsdl with JBossWS?

            WSDLDefinitionsFactory

 private Document getDocument(URL wsdlLocation) throws WSDLException
 {
 try
 {
 InputStream wsdlInputStream = wsdlLocation.openStream();
 try
 {
 DocumentBuilder builder = DOMUtils.getDocumentBuilder();
 return builder.parse(wsdlInputStream);
 }
 finally
 {
 wsdlInputStream.close();
 }
 }
 catch (ConnectException ex)
 {
 throw new WSDLException("Cannot connect to: " + wsdlLocation);
 }
 catch (Exception ex)
 {
 throw new WSDLException("Cannot parse wsdlLocation: " + wsdlLocation, ex);
 }
 }


            This is probably the code that fetches .wsdl?
            How to push username / password in?

            Should be using something like this then: 
             if(!wsdlurl.getProtocol().startsWith("http"))
 return new InputSource(uri);
 java.net.URLConnection connection = wsdlurl.openConnection();
 if(!(connection instanceof HttpURLConnection))
 return new InputSource(uri);
 HttpURLConnection uconn = (HttpURLConnection)connection;
 String userinfo = wsdlurl.getUserInfo();
 uconn.setRequestMethod("GET");
 uconn.setAllowUserInteraction(false);
 uconn.setDefaultUseCaches(false);
 uconn.setDoInput(true);
 uconn.setDoOutput(false);
 uconn.setInstanceFollowRedirects(true);
 uconn.setUseCaches(false);
 String auth = null;
 if(userinfo != null)
 auth = userinfo;
 else
 if(username != null)
 auth = password != null ? username + ":" + password : username;
 if(auth != null)
 uconn.setRequestProperty("Authorization", "Basic " + base64encode(auth.getBytes("ISO-8859-1")));
 uconn.connect();
 return new InputSource(uconn.getInputStream());


              • Actions
            • 3. Re: WS basic auth only for post requests
              thomas.diesler
              thomas.diesler Nov 16, 2006 4:38 AM (in response to waperboy)

              Please vote here

              http://jira.jboss.com/jira/browse/JBWS-723

                • Actions