JBossWS - Authentication

Version 3

    This page explains the simplest way to authenticate a web service user with JBossWS.

    First we secure the access to the SLSB as we would do for normal (non web service) invocations: this can be easily done through the @RolesAllowed, @PermitAll, @DenyAll annotation. The allowed user roles can be set with these annotations both on the bean class and on any of its business methods.

    @Stateless
    @RolesAllowed("friend")
    public class EndpointEJB implements EndpointInterface
    {
      ...
    }
    

    Similarly POJO endpoints are secured the same way as we do for normal web applications in web.xml:

      <security-constraint>
        <web-resource-collection>
          <web-resource-name>All resources</web-resource-name>
          <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>friend</role-name>
        </auth-constraint>
      </security-constraint>
    
      <security-role>
        <role-name>friend</role-name>
      </security-role>

    Define the security domain

    Next, define the security domain for this deployment. This is performed using the @SecurityDomain annotation for EJB3 endpoints

    @Stateless
    @SecurityDomain("JBossWS")
    @RolesAllowed("friend")
    public class EndpointEJB implements EndpointInterface
    {
      ...
    }
    

    or modifying the jboss-web.xml for POJO endpoints

    <jboss-web>
      <security-domain>java:/jaas/JBossWS</security-domain>
    </jboss-web>
    

    The JBossWS security context is configured in login-config.xml and uses the UsersRolesLoginModule. As a matter of fact login-config.xml, that lives in the server config dir, contains this security domain definition:

      <!-- 
        A template configuration for the JBossWS security domain.
        This defaults to the UsersRolesLoginModule the same as other and should be
        changed to a stronger authentication mechanism as required.
      -->
      <application-policy name="JBossWS">
        <authentication>
          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
            flag="required">
            <module-option name="usersProperties">props/jbossws-users.properties</module-option>
            <module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
            <module-option name="unauthenticatedIdentity">anonymous</module-option>
          </login-module>
        </authentication>
      </application-policy>
    

    Of course you can define and use your own security domain as well as your login module (in order to check for users' identity querying a database for example).

    Use BindingProvider to set principal/credential

    A web service client may use the javax.xml.ws.BindingProvider interface to set the username/password combination

    URL wsdlURL = new File("resources/jaxws/samples/context/WEB-INF/wsdl/TestEndpoint.wsdl").toURL();
    QName qname = new QName("http://org.jboss.ws/jaxws/context", "TestEndpointService");
    Service service = Service.create(wsdlURL, qname);
    port = (TestEndpoint)service.getPort(TestEndpoint.class);
    
    BindingProvider bp = (BindingProvider)port;
    bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "kermit");
    bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "thefrog");

    Using HTTP Basic Auth for security

    To enable HTTP Basic authentication you use the @WebContext annotation on the bean class

    @Stateless
    @SecurityDomain("JBossWS")
    @RolesAllowed("friend")
    @WebContext(contextRoot="/my-cxt", urlPattern="/*", authMethod="BASIC", transportGuarantee="NONE", secureWSDLAccess=false)
    public class EndpointEJB implements EndpointInterface
    {
      ...
    }
    

    For POJO endpoints, we modify the web.xml adding the auth-method element:

      <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Test Realm</realm-name>
      </login-config>