To enable basic auth you just add auth-method to your jboss.xml file. To require ssl you set transport-guarantee to CONFIDENTIAL. Take a look at the jboss 4 dtd for more info.
<port-component> <port-component-name>MySecureEJBServiceEndpoint</port-component-name> <port-uri>/MySecureEJBServiceEnpoint</port-uri> <auth-method>BASIC</auth-method> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </port-component>
Thanks for the quick reply. I do have another question. How do I take into account parameter based security?
Consider the following hypothetical scenerio....
I have a service that provides a access to a set of bools, a library service if you will. Anyone can gain access to the webservice, but only authors can modify books, but only their books. I understand how to prevent/allow access to the write-functions. But, how do I handle the webservice security for the which books actually are accessible to the author? The call to Book getAllBooksForEdit() would need to "hook" into the security module and make this business-specific access call.
How is this best achieved?
I added this information to the wiki. Thanks for noticing.
When you are using EJB endpoints the authentication is just being passed to the standard J2EE principal/role based security system. So if you wanted to programatically make decessions the J2EE role/princiapal system exposes two methods, both on the EJBContext object: isCallerInRole(), and getPrincipal(). isCallerInRole() requires special security-role-ref tags to be made for every role you wish to test. getPrincipal() will return the username that was passed in the HTTP basic authentication.
So can I use BASIC authentication with a custom security interceptor? If so, how is this done?
And finally, where do I find documentation on SecurityProxy?
The advice given above by jasong doesn't work. There is something missing....please update.
at sun.reflect.GeneratedMethodAccessor3.invoke(Unknown Source)
at $Proxy24.handleNotification(Unknown Source)
It looks like there is a bug in 4.0.0 that is triggered when auth-type is specified, and port-uri is not. Set port-uri in your port-component section to /* or any other url value. Keep in mind that port-uri is changing to port-component-uri in 4.0.1.
Thanks for the quick reply....One more question:
Will the basic username/password fields of basic authentication be what is passed to an implementation of UsernamePasswordLoginModule?
Forgive me if this question has an obvious answer, I'm just a bit overwhelmed with information overload trying to absorb the documentation on this (which I am trying to utilize before posting).
For EJB endpoints, JBossWS will use the same security domain as the EJBs they connect. So if you have configured an application policy for your EJBs that uses the UsernamePasswordLoginModule, then it will use that.