Quick Note on Securing a WSDL with Basic Authentication

Version 3

    Introduction

    This is a brief explanation of how to secure a WSDL behind basic HTTP authentication and still have it accessible by the teiid server. The US States example is used throughout this explanation. The modifications here should be incorporated into the example prior to deploying it to the jboss server. Otherwise, the original README contained in the example should be followed.

     

    Pre-Requisites

    • JBoss Developer Studio (or Eclipse Indigo with Teiid Designer plugins installed)
    • JBoss 5.1 server installation
    • Teiid 7.6 deployment
    • JBoss Web Services CXF 3.4.0
      • Available from here and installation details can be found here.

     

    Import the projects

    Load the StateService, StateServiceEAR and US_States projects into JBDS/Eclipse.

    project-layout.png

    Update the java source

    In the StateService project, open the file StateService.java and make the following changes:

     

     import javax.xml.ws.ResponseWrapper;
    
    +import org.jboss.security.annotation.SecurityDomain;
    +import org.jboss.wsf.spi.annotation.WebContext;
    +
     /**
      * This class was generated by Apache CXF 2.2.6-patch-01 Wed Jan 19 13:44:29 EST
      * 2011 Generated source version: 2.2.6-patch-01
      * 
      */
    
     @WebService(targetNamespace = "http://www.teiid.org/stateService/", name = "stateService")
    -@XmlSeeAlso({ ObjectFactory.class })
    +@WebContext(contextRoot="/StateService", urlPattern="/StateService", authMethod="BASIC", secureWSDLAccess = true)
    +@SecurityDomain(value = "teiid-security")
    +@XmlSeeAlso({ObjectFactory.class})
    

     

    This change introduces the security domain 'teiid-security' to this service, ensuring that the service and access to the WSDL are only possible via basic HTTP authentication.

     

    Define the jboss web container configuration (jboss-web.xml)

    project-layout-2.png

    The downloaded example will NOT contain a jboss-web.xml file. This must be added to /StateService/WebContent/WEB-INF with the following contents:

     

    <?xml version="1.0" encoding="UTF-8"?>
    <jboss-web>
        <security-domain>java:/jaas/teiid-security</security-domain>
    </jboss-web>
    

     

    This defines the JNDI security domain that the state service application should use.

     

    Modify the j2ee specification (web.xml)

    The web.xml must be modified to provide the security constraint configuration:

     

         <servlet-mapping>
             <servlet-name>StateService</servlet-name>
             <url-pattern>/StateService</url-pattern>
         </servlet-mapping>
    +
    +    <security-constraint>
    +
    +        <web-resource-collection>
    +            <web-resource-name>StateService</web-resource-name>
    +            <url-pattern>/*</url-pattern>
    +            <url-pattern>/StateService/*</url-pattern>
    +            <http-method>GET</http-method>
    +            <http-method>POST</http-method>
    +        </web-resource-collection>
    +
    +        <auth-constraint>
    +            <!-- This wildcard applies the constraint to all roles -->
    +            <role-name>*</role-name>
    +        </auth-constraint>
    +
    +    </security-constraint>
    +
    +    <login-config>
    +        <auth-method>BASIC</auth-method>
    +        <realm-name>teiid-security</realm-name>
    +    </login-config>
    +    
     </web-app>
    

     

    Modify the JDBC datasource (stateService-ds.xml)

    The stateService-ds.xml file is copied separately to the jboss server but it must also be modified to include the authentication credentials required to access the stateService wsdl. The username 'user' is defined by default as part of the teiid security domain. Different users should be configured by editing JBoss' / teiid's ${JBOSS_HOME}/default/conf/props/teiid-security-users.properties file.

     

    -        <config-property type="java.lang.String" name="SecurityType">None</config>
    +        <config-property type="java.lang.String" name="SecurityType">HTTPBasic</config-property>
    +        <config-property type="java.lang.String" name="AuthUserName">user</config-property>
    +        <config-property type="java.lang.String" name="AuthPassword">user</config-property>
    

     

    Testing the WSDL

    Once the state service has been deployed to the jboss server, its authentication mechanism can be tested by accessing the wsdl using a web browser:

     

    http://my-jboss-server:8080/StateService/StateService?wsdl
    

     

    The web browser should require a username and password before allowing successful access to the contents of the wsdl. The credentials user/user should be entered accordingly.

     

    Testing with teiid designer

    In eclipse, create a new teiid model vdb file from the StatesView.xmi, which should then be deployed and executed on the teiid server. Using the same SQL queries, defined by the example README, it should still be possible to successfully query the service.