1 Reply Latest reply on Nov 21, 2007 4:41 PM by Alessio Soldano

    Protected Access to WSDL - How to define required Security R

    Robert Mlekus Newbie

      Hi,

      according to JBWS-723 it is possible to protect access to the WSDL requests of Web-Services. Looking at it in more detail it appears that access does require only any valid login, but is not restricted to specific security roles.

      Is it possible to restrict the access to WSDL´s of Web-Services in a role based manner per Web-Service?

      Use case: We have a full web-service API for internal use. For Clients we want to make one or two of these services available without publishing the full API structure (services, data structures,...) related to internal web-services. So the idea is that access to internal web-services and their WSDL requires a security roles which are not granted to clients.

      Kind Regards
      Bertl

        • 1. Re: Protected Access to WSDL - How to define required Securi
          Alessio Soldano Master

           

          "centecbertl" wrote:
          Hi,

          according to JBWS-723 it is possible to protect access to the WSDL requests of Web-Services. Looking at it in more detail it appears that access does require only any valid login, but is not restricted to specific security roles.

          Is it possible to restrict the access to WSDL´s of Web-Services in a role based manner per Web-Service?

          Right now this feature is not available. Feel free to create a feature request issue on JIRA so that we or the community can work on it in the future.

          Use case: We have a full web-service API for internal use. For Clients we want to make one or two of these services available without publishing the full API structure (services, data structures,...) related to internal web-services. So the idea is that access to internal web-services and their WSDL requires a security roles which are not granted to clients.

          Ok, I understand your use case; btw, is it doable for you to use different security domains to protect services that should be accessed by internal users only? this could be another solution...