Secure SOAP-WebServices?
lafr Mar 3, 2014 1:11 PMCurrently my ear-application provides web-services unsecured, only used for internal purposes by our web-application.
Now we have the requirement, that other's want to use certain web-services which therefore should be secured.
Where is a good explanation how to this using WildFly?
I started adding security-constraint, security-role and login-config to the web.xml of the web-services module like I already did for the web-application.
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<security-constraint>
<web-resource-collection>
<web-resource-name>sales</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>sales</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>sales</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>mbisso</realm-name>
</login-config>
</web-app>
Accessing the web-service ends up in HTTP 401 Unauthorized which shows that security is working.
Caused by: java.io.IOException: Server returned HTTP response code: 401 for URL: http://os-sol10:8080/mbi-ws/mbi2e-gp3/sales/SalesOrderFindWS?wsdl |
But this happens already in the constructor of the web-service client. How can I add credentials or make the lookup of the wsdl insecure?
For access the use of a binding provider is the right way like shown below?
@WebServiceClient
public class SalesOrderFindService extends Service
{
...
public SalesOrderFindWSI getSalesOrderFindWSPort() | |
{ | |
SalesOrderFindWSI wsi = this.getPort( new QName( "http://sales.ws.fn.mbisoftware.biz/", "SalesOrderFindWSPort" ), SalesOrderFindWSI.class ); | |
BindingProvider bindingProvider = (BindingProvider)wsi; | |
bindingProvider.getRequestContext().put( BindingProvider.USERNAME_PROPERTY, "..." ); | |
bindingProvider.getRequestContext().put( BindingProvider.PASSWORD_PROPERTY, "......" ); | |
return wsi; | |
} |
}
@WebService
@SOAPBinding(style = SOAPBinding.Style.RPC)
public interface SalesOrderFindWSI
{
...
}
@WebService(endpointInterface = "biz.mbisoftware.fn.ws.sales.SalesOrderWSI", serviceName = "SalesOrderWS")
public class SalesOrderWS implements SalesOrderWSI
{
...
}