JBossWS - Authentication

Version 3

    This page explains the simplest way to authenticate a web service user with JBossWS.

    First we secure the access to the SLSB as we would do for normal (non web service) invocations: this can be easily done through the @RolesAllowed, @PermitAll, @DenyAll annotation. The allowed user roles can be set with these annotations both on the bean class and on any of its business methods.

    public class EndpointEJB implements EndpointInterface

    Similarly POJO endpoints are secured the same way as we do for normal web applications in web.xml:

          <web-resource-name>All resources</web-resource-name>

    Define the security domain

    Next, define the security domain for this deployment. This is performed using the @SecurityDomain annotation for EJB3 endpoints

    public class EndpointEJB implements EndpointInterface

    or modifying the jboss-web.xml for POJO endpoints


    The JBossWS security context is configured in login-config.xml and uses the UsersRolesLoginModule. As a matter of fact login-config.xml, that lives in the server config dir, contains this security domain definition:

        A template configuration for the JBossWS security domain.
        This defaults to the UsersRolesLoginModule the same as other and should be
        changed to a stronger authentication mechanism as required.
      <application-policy name="JBossWS">
          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
            <module-option name="usersProperties">props/jbossws-users.properties</module-option>
            <module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
            <module-option name="unauthenticatedIdentity">anonymous</module-option>

    Of course you can define and use your own security domain as well as your login module (in order to check for users' identity querying a database for example).

    Use BindingProvider to set principal/credential

    A web service client may use the javax.xml.ws.BindingProvider interface to set the username/password combination

    URL wsdlURL = new File("resources/jaxws/samples/context/WEB-INF/wsdl/TestEndpoint.wsdl").toURL();
    QName qname = new QName("http://org.jboss.ws/jaxws/context", "TestEndpointService");
    Service service = Service.create(wsdlURL, qname);
    port = (TestEndpoint)service.getPort(TestEndpoint.class);
    BindingProvider bp = (BindingProvider)port;
    bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "kermit");
    bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "thefrog");

    Using HTTP Basic Auth for security

    To enable HTTP Basic authentication you use the @WebContext annotation on the bean class

    @WebContext(contextRoot="/my-cxt", urlPattern="/*", authMethod="BASIC", transportGuarantee="NONE", secureWSDLAccess=false)
    public class EndpointEJB implements EndpointInterface

    For POJO endpoints, we modify the web.xml adding the auth-method element:

        <realm-name>Test Realm</realm-name>