1 Reply Latest reply on Dec 19, 2014 7:36 PM by Tango Charlie

    Expose ejb3 as web service and use WS-Security for auth and authr

    Tango Charlie Newbie



      We have exposed an ejb3 stateless session bean as a soap webservice.

      We need to authenticate using WS-Security (JAXWS).

      We have our home grown authentication soap service which takes in the username, password to authenticate the user.

      We also have our customized roles-permission which needs to be hooked-up with javax.security.auth.Subject, java.security.Principal etc...


      Trying to use the simple approach of handlers and Interceptors but hitting roadblock.


      Technology used: Jboss-eap-5.1 enterprise edition.


      We have an ejb3 stateless session-bean exposed as a soap webservice. Here are the annotations used;


      @javax.jws.WebService(portName = "ABCSecurityServicePort",

              serviceName = "ABCSecurityService",

      targetNamespace = "http://abc.endpoint.web.com/",

              wsdlLocation = "META-INF/wsdl/abc.wsdl")

      @SOAPBinding(style = SOAPBinding.Style.DOCUMENT)


      //@HandlerChain(file = "META-INF/handler-chains.xml")

      @InInterceptors(interceptors = {



      We plan to use WS_Security to do authentication and authorization with username token ws-policy.

      The ws-policy used is:

      <wsp:Policy wsu:Id="SecurityServiceUsernameHashPasswordPolicy">    



                                                      <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">                


                                                                                      <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">                        











      Approach 1


      - Defined the custom handler ( extends javax.xml.ws.handler.soap.SOAPHandler).

      - Get the username, password from the soap header and do authentication.

      - Can load all the role-permission from the db but do have the handle to the SecurityContext to set the Principal and Subject object.


      Approach 2


      - Here using the @InInterceptors ( extends org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor )

      - Created the jbossws-cxf.xml ( see attached ) and copied this into META-INF folder. As we have attached the interceptor in this file, we need not have the annotation.

      - This interceptor have handle to soap message and also the SecurityContext, which I can use to load the Subject and Principal object.

      After adding this conifguration, the container is invoking the InInterceptor defined to do auth and authr.


      After googling found that we need to use (jboss-ep-ws-cxf-5.1.0-installer.zip) , which will replace JbossWS Native to JBossWS CXF and then only the @InInterceptor will be invoked.


      Any idea on this approach or any other approach to avoid the zip installation.