2 Replies Latest reply on Feb 6, 2007 11:40 AM by Tremal Naik

    Unscuring wsdl definition

    Tremal Naik Newbie

      Hello, I'm using jboss 4.0.2

      I have deployed a simple web service, trying now to secure it. I added the following definitions in the web.xml

       <security-constraint>
       <web-resource-collection>
       <web-resource-name>Protected service</web-resource-name>
       <description>no description</description>
       <url-pattern>/TestService</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>BITAStarUser</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
      
       <login-config>
       <auth-method>BASIC</auth-method>
       </login-config>
      
       <security-role>
       <description>Intranet Bita Star user</description>
       <role-name>BITAStarUser</role-name>
       </security-role>
      


      It protects all request matching /TestService, but it means that it protects the page /TestService?wsdl i.e. the wsdl file as well.

      I'd like to avoid this, otherwise my simple test client will get a 401 error:

      String urlstr = "https://cor319:8443/BitaStarWebServices/TestService?wsdl";
      String argument = "claves";
      System.out.println("Contacting webservice at " + urlstr);
      URL url = new URL(urlstr);
      QName qname = new QName("https://ws.web.bitastar.bitaplus.com/", "TestService");
      ServiceFactory factory = ServiceFactory.newInstance();
      Service service = factory.createService(url, qname);
      WebServicesTestInt wst = (WebServicesTestInt) service.getPort(WebServicesTestInt.class);
      


      Server returned HTTP response code: 401 for URL: https://cor319.cor-fs.com:8443/BitaStarWebServices/TestService?wsdl


      I gave a look to the famous cap 13 of the Jboss WS guide on securing the endpoints, but it looks it's doing something too much for me: I don't need to define ejbs. I'm using a Jaas module configured in login-config.xml and jboss-web.xml looks like:
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">
      <jboss-web>
       <security-domain>java:/jaas/bitastarRealm</security-domain>
      </jboss-web>


      do you have any suggestions? Do you think what I'm doing has some sense? Can you point me to the right resources, please?



        • 1. Re: Unscuring wsdl definition
          Tremal Naik Newbie

          I forgot to say that mine is a JAX-RPC service endpoint

          • 2. Re: Unscuring wsdl definition
            Tremal Naik Newbie

            If I proceed like this:

            BasicAuthenticator ba = new BasicAuthenticator("user_a","claves");
            Authenticator.setDefault(ba);
            String urlstr = "https://cor319.cor-fs.com:8443/BitaStarWebServices/TestService?wsdl";
            String argument = "claves";
            System.out.println("Contacting webservice at " + urlstr);
            URL url = new URL(urlstr);
            QName qname = new QName("https://ws.web.bitastar.bitaplus.com/", "TestService");
            ServiceFactory factory = ServiceFactory.newInstance();
            Service service = factory.createService(url, qname);
            WebServicesTestInt wst = (WebServicesTestInt) service.getPort(WebServicesTestInt.class);
            


            I'm able to authenticate, but I'd like to be sure this is a good method (i didn't even need to set the stub login and password properties)