5 Replies Latest reply on Aug 17, 2008 6:53 AM by Kamil Demecki

    Web Service URL pattern

    Alexandros Karypidis Novice

      Hello,

      I have a war file that publishes a POJO web service in JBoss (using the native stack in JBoss AS 4.2.2, which is probably JBossWS 2.0.1). I am trying to restrict access to the web service to authenticated users only. Adding a security-constraint in the deployment descriptor of the war with the * (asterisk) wild-character gets the job done. However, it also restricts access to the auto-generated WSDL published by JBoss.

      This is because JBoss publishes the WSDL under the servlet prefix, adding a ?wsdl parameter. For instance:

      <servlet>
       <servlet-name>MyTestWS</servlet-name>
       <servlet-class>...servlet-class>
       </servlet>
       <servlet-mapping>
       <servlet-name>MyTestWS</servlet-name>
       <url-pattern>/MyTestWS</url-pattern>
       </servlet-mapping>
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>...</web-resource-name>
       <url-pattern>/MyTestWS/*</url-pattern>
       </web-resource-collection>
       ...
       </security-constraint>


      The above causes the web service to be published under:
      http://localhost:8080/MyTestWS

      and the WSDL is published under
      http://localhost:8080/MyTestWS?wsdl


      As a result, clients that try to access the stub generated with wsimport have a problem accessing the WSDL and fail. I need to keep a copy of the WSDL on the client for things to work as follows:

      URL wsdlURL = Launcher.class.getResource("MyTestWS.wsdl");
      // URL wsdlURL = new URL("http://localhost:8080/MyTestWS?wsdl"); // does not work
       QName serviceName = new QName("...",
       "...");
       MyTestWSService rss = new MyTestWSService(wsdlURL,
       serviceName);
       MyTestWS rs = rss.getMyTestWSPort();
      
       BindingProvider bp = (BindingProvider) rs;
       bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY,
       "xxx");
       bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY,
       "yyy");
      
       String t = rs.secureHello();

      The client is able to log in and access the MyTestWS web service when using a local copy of the WSDL only. How can I avoid this? I would like to have the client access the WSDL from the server. I need a way to either:

      1) publish the WSDL in another URL
      2) restrict access to the web service URL but put an exception for URL?wsdl
      3) set the login credentials earlier (as I do with BindingProvider) so that the WSDL can be accessed to construct the stub.

      I don't know how to do any of the above....