Currently my ear-application provides web-services unsecured, only used for internal purposes by our web-application.

Now we have the requirement, that other's want to use certain web-services which therefore should be secured.

Where is a good explanation how to this using WildFly?

I started adding security-constraint, security-role and login-config to the web.xml of the web-services module like I already did for the web-application.

<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"

      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

      xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"

      version="3.1">

    <security-constraint>

        <web-resource-collection>

            <web-resource-name>sales</web-resource-name>

            <url-pattern>/*</url-pattern>

        </web-resource-collection>

        <auth-constraint>

            <role-name>sales</role-name>

        </auth-constraint>

        <user-data-constraint>

            <transport-guarantee>NONE</transport-guarantee>

        </user-data-constraint>

    </security-constraint>

    <security-role>

        <role-name>sales</role-name>

    </security-role>

    <login-config>

        <auth-method>BASIC</auth-method>

        <realm-name>mbisso</realm-name>

    </login-config>

</web-app>

Accessing the web-service ends up in HTTP 401 Unauthorized which shows that security is working.

But this happens already in the constructor of the web-service client. How can I add credentials or make the lookup of the wsdl insecure?

For access the use of a binding provider is the right way like shown below?

@WebServiceClient

public class SalesOrderFindService extends Service

{

...

}

@WebService

@SOAPBinding(style = SOAPBinding.Style.RPC)

public interface SalesOrderFindWSI

{

...

}

@WebService(endpointInterface = "biz.mbisoftware.fn.ws.sales.SalesOrderWSI", serviceName = "SalesOrderWS")

public class SalesOrderWS implements SalesOrderWSI

{

...

}