0 Replies Latest reply on Mar 3, 2014 1:11 PM by Frank Langelage

    Secure SOAP-WebServices?

    Frank Langelage Master

      Currently my ear-application provides web-services unsecured, only used for internal purposes by our web-application.

      Now we have the requirement, that other's want to use certain web-services which therefore should be secured.

      Where is a good explanation how to this using WildFly?

       

      I started adding security-constraint, security-role and login-config to the web.xml of the web-services module like I already did for the web-application.

      <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"

            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

            xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"

            version="3.1">

          <security-constraint>

              <web-resource-collection>

                  <web-resource-name>sales</web-resource-name>

                  <url-pattern>/*</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                  <role-name>sales</role-name>

              </auth-constraint>

              <user-data-constraint>

                  <transport-guarantee>NONE</transport-guarantee>

              </user-data-constraint>

          </security-constraint>

          <security-role>

              <role-name>sales</role-name>

          </security-role>

          <login-config>

              <auth-method>BASIC</auth-method>

              <realm-name>mbisso</realm-name>

          </login-config>

      </web-app>

       

      Accessing the web-service ends up in HTTP 401 Unauthorized which shows that security is working.

      Caused by: java.io.IOException: Server returned HTTP response code: 401 for URL: http://os-sol10:8080/mbi-ws/mbi2e-gp3/sales/SalesOrderFindWS?wsdl                                                                                                                 

       

      But this happens already in the constructor of the web-service client. How can I add credentials or make the lookup of the wsdl insecure?

      For access the use of a binding provider is the right way like shown below?

      @WebServiceClient

      public class SalesOrderFindService extends Service

      {

      ...

      public SalesOrderFindWSI getSalesOrderFindWSPort()
      {
          SalesOrderFindWSI wsi = this.getPort( new QName( "http://sales.ws.fn.mbisoftware.biz/", "SalesOrderFindWSPort" ), SalesOrderFindWSI.class );
          BindingProvider bindingProvider = (BindingProvider)wsi;
          bindingProvider.getRequestContext().put( BindingProvider.USERNAME_PROPERTY, "..." );
          bindingProvider.getRequestContext().put( BindingProvider.PASSWORD_PROPERTY, "......" );
          return wsi;
      }

      }

       

      @WebService

      @SOAPBinding(style = SOAPBinding.Style.RPC)

      public interface SalesOrderFindWSI

      {

      ...

      }

      @WebService(endpointInterface = "biz.mbisoftware.fn.ws.sales.SalesOrderWSI", serviceName = "SalesOrderWS")

      public class SalesOrderWS implements SalesOrderWSI

      {

      ...

      }