3 Replies Latest reply on Nov 16, 2006 4:38 AM by Thomas Diesler

    WS basic auth only for post requests

    Per Wahlstrom Newbie

      I've created a web service, and added basic authentication according to the user-guide chapter 13 (http://labs.jboss.com/portal/jbossws/user-guide/en/html/secure-ejb.html), but it results in basic auth being activated for both GET and POST. I want access to the wsdl to be public.

      The web service is defined using webservices.xml, jboss.xml, and ejb-jar.xml, and is contained in a jar file.

      I notice in the web.xml file generated by jboss on deploy, that both GET and POST is specified in the security-constraint.

      Any ideas on how I can make access to the wsdl (GET requests) public, and only the ws-methods (POST requests) authenticated?

      /Per

      webservices.xml:

       <webservice-description>
       <webservice-description-name>MyService</webservice-description-name>
       <wsdl-file>META-INF/wsdl/MyService.wsdl</wsdl-file>
       <jaxrpc-mapping-file>META-INF/MyService-mapping.xml</jaxrpc-mapping-file>
       <port-component>
       <port-component-name>MyService</port-component-name>
       <wsdl-port>MyServicePort</wsdl-port>
       <service-endpoint-interface>com.test.ws.MyServiceEndpoint</service-endpoint-interface>
       <service-impl-bean>
       <ejb-link>MyServiceBean</ejb-link>
       <servlet-link></servlet-link>
       </service-impl-bean>
       </port-component>
       </webservice-description>
      


      jboss.xml:
      <jboss>
       <security-domain>java:/jaas/my-security-domain</security-domain>
       <enterprise-beans>
       <session>
       <ejb-name>MyServiceBean</ejb-name>
       <port-component>
       <port-component-name>MyService</port-component-name>
       <port-component-uri>/ws/MyService</port-component-uri>
       <auth-method>BASIC</auth-method>
       </port-component>
       </session>
       </enterprise-beans>
      </jboss>
      


      ejb-jar.xml:
       <enterprise-beans>
       <session>
       <ejb-name>MyServiceBean</ejb-name>
       <service-endpoint>com.test.ws.MyServiceEndpoint</service-endpoint>
       <ejb-class>com.test.ws.MyServiceSLSB</ejb-class>
       <session-type>Stateless</session-type>
       <transaction-type>Container</transaction-type>
       <security-role-ref>
       <role-name>@ROLE_EXPORT@</role-name>
       </security-role-ref>
       <security-role-ref>
       <role-name>@ROLE_IMPORT@</role-name>
       </security-role-ref>
       </session>
       </enterprise-beans>
      
       <assembly-descriptor>
       <security-role>
       <role-name>@ROLE_IMPORT@</role-name>
       </security-role>
       <security-role>
       <role-name>@ROLE_EXPORT@</role-name>
       </security-role>
       <method-permission>
       <role-name>@ROLE_IMPORT@</role-name>
       <method>
       <ejb-name>MyServiceBean</ejb-name>
       <method-name>submit</method-name>
       </method>
       </method-permission>
       <method-permission>
       <role-name>@ROLE_EXPORT@</role-name>
       <method>
       <ejb-name>MyServiceBean</ejb-name>
       <method-name>fetch</method-name>
       </method>
       </method-permission>
       </assembly-descriptor>
      


        • 1. Re: WS basic auth only for post requests
          Thomas Diesler Master

          There is good reason, why we protect access to the wsdl.

          Please see

          http://jira.jboss.org/jira/browse/JBWS-723

          and vote for making this configurable.

          • 2. Re: WS basic auth only for post requests
            Ales Justin Master

            Is there a way to currently get a BASIC auth secured .wsdl with JBossWS?

            WSDLDefinitionsFactory
            
             private Document getDocument(URL wsdlLocation) throws WSDLException
             {
             try
             {
             InputStream wsdlInputStream = wsdlLocation.openStream();
             try
             {
             DocumentBuilder builder = DOMUtils.getDocumentBuilder();
             return builder.parse(wsdlInputStream);
             }
             finally
             {
             wsdlInputStream.close();
             }
             }
             catch (ConnectException ex)
             {
             throw new WSDLException("Cannot connect to: " + wsdlLocation);
             }
             catch (Exception ex)
             {
             throw new WSDLException("Cannot parse wsdlLocation: " + wsdlLocation, ex);
             }
             }
            


            This is probably the code that fetches .wsdl?
            How to push username / password in?

            Should be using something like this then:
             if(!wsdlurl.getProtocol().startsWith("http"))
             return new InputSource(uri);
             java.net.URLConnection connection = wsdlurl.openConnection();
             if(!(connection instanceof HttpURLConnection))
             return new InputSource(uri);
             HttpURLConnection uconn = (HttpURLConnection)connection;
             String userinfo = wsdlurl.getUserInfo();
             uconn.setRequestMethod("GET");
             uconn.setAllowUserInteraction(false);
             uconn.setDefaultUseCaches(false);
             uconn.setDoInput(true);
             uconn.setDoOutput(false);
             uconn.setInstanceFollowRedirects(true);
             uconn.setUseCaches(false);
             String auth = null;
             if(userinfo != null)
             auth = userinfo;
             else
             if(username != null)
             auth = password != null ? username + ":" + password : username;
             if(auth != null)
             uconn.setRequestProperty("Authorization", "Basic " + base64encode(auth.getBytes("ISO-8859-1")));
             uconn.connect();
             return new InputSource(uconn.getInputStream());