[JBossWS] - Web service security, how to filter client IP address?
by cardel
I am using basic authentication (username, password) in my web services. So client have to authenticate to endpoint provider. But I would like to know, how to secure my web service endpoint servlet. I would like to allow connection only to clients with specified IP address.
my web.xml
| <!-- START WS authentication -->
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>All webservices</web-resource-name>
| <url-pattern>/ws/*</url-pattern>
| <http-method>POST</http-method>
| </web-resource-collection>
| <auth-constraint>
| <role-name>wsrole</role-name>
| </auth-constraint>
| <user-data-constraint>
| <transport-guarantee>NONE</transport-guarantee>
| </user-data-constraint>
| </security-constraint>
|
| <login-config>
| <auth-method>BASIC</auth-method>
| <realm-name>Security Realm</realm-name>
| </login-config>
|
| <security-role>
| <role-name>wsrole</role-name>
| </security-role>
| <!-- END WS authentication -->
|
| <servlet>
| <servlet-name>BareEndpoint</servlet-name>
| <servlet-class>hcp.service.BareEndpointBean</servlet-class>
| </servlet>
|
| <servlet-mapping>
| <servlet-name>BareEndpoint</servlet-name>
| <url-pattern>/ws/bareservice</url-pattern>
| </servlet-mapping>
|
I would like to use this kind of security to deny access to BareEndpoit servlet and only client(s) with specified IP can read wsdl from /ws/bareservice?wsdl address and call some endpoint actions.
Thank you for some useful tips.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4162661#4162661
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4162661
16 years, 5 months
[JBossWS] - Re: Problem using a SOAP interface on JBOSS server
by gbc
Hi Milan,
At this point you should have solve your problem, but how I find the same problem and the reason of it, I'm posting for others consult.
Apparently, WSConsume tool is generating wrong code when besides you specify an web URL to the wsdlLocation you specify a file URL.
The consequence is that the generated code point to an inexistent wsdl file, how you can see in the warning log "2008-05-11 16:13:35,514 WARN [org.jboss.ws.core.jaxws.spi.ServiceDelegateImpl] Cannot access wsdlUR
L: file:/C:/Documents%20and%20Settings/cm304k/My%20Documents/R7/WFM%20IIA/GRANITEAsgnMgmt_QNI_AD_MER
GE/GRANITEAsgnMgmt.wsdl".
To solve the problem you must edit the generated code of the Service class.
Where you read:
static {
URL url = null;
try {
url = new URL("file:/C:/META-INF/wsdl/ConsultarCPF.wsdl");
} catch (MalformedURLException e) {
e.printStackTrace();
}
CONSULTARCPF_WSDL_LOCATION = url;
}
write:
static {
URL url = null;
url = ConsultarCPF.class.getResource("/META-INF/wsdl/ConsultarCPF.wsdl");
CONSULTARCPF_WSDL_LOCATION = url;
}
Regards,
Gustavo
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4162612#4162612
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4162612
16 years, 5 months
[JBossWS] - remote authentication=>no route to host found
by timeagentess
Hello all,
I am testing authenticated access to a web service, with a security domain of my own and username/password taken from a mySQL database. I am using JBoss 4.0.5 and JBossWS 2.0.3, and on my localhost I have the mySQL database from where the username and password are taken, as well as the client.
Everything works perfectly when I have all things deployed locally (web service, database, client). However, I run into problems when invoking the web service deployed on a remote machine.
On the remote server console a "no route to host" error appears:
anonymous wrote :
| Caused by: com.mysql.jdbc.CommunicationsException: Communications link failure due to underlying exception:
|
| ** BEGIN NESTED EXCEPTION **
|
| java.net.SocketException
| MESSAGE: java.net.NoRouteToHostException: No route to host
|
| STACKTRACE:
|
| java.net.SocketException: java.net.NoRouteToHostException: No route to host
| at com.mysql.jdbc.StandardSocketFactory.connect(StandardSocketFactory.java:156)
| at com.mysql.jdbc.MysqlIO.(MysqlIO.java:284)
|
On the client side I receive an "Unauthorized" error:
anonymous wrote : 3875 [main] DEBUG org.jboss.remoting.transport.http.HTTPClientInvoker - Error invoking http client invoker.
| org.jboss.ws.WSException: Invalid HTTP server response [401] - Unauthorized
| at org.jboss.ws.core.soap.SOAPMessageUnMarshaller.read(SOAPMessageUnMarshaller.java:77)
| at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:175)
| ...
| javax.xml.ws.WebServiceException: java.io.IOException: Could not transmit message
|
Using the default "JBossWS" security domain, with username "kermit" and password "thefrog" taken from users.properties, works with both local and remote deployment of my web service. So I was thinking maybe the data source is not found?
However, the database seems to be correctly bound, judging by the server log data:
anonymous wrote : INFO [org.jboss.resource.adapter.jdbc.remote.WrapperDataSourceService] Bound ConnectionManager 'jboss.jca:service=DataSourceBinding,name=jdbc/WSTwoDS' to JNDI name 'java:jdbc/WSTwoDS'
Perhaps my client needs special jndi.properties settings? (pure brainstorming, potentially stupid, based on some forum posts I browsed)
How my files look like:
Security-relevant annotations on Web Service (which is deployed as SLSB in an ear):
@org.jboss.wsf.spi.annotation.WebContext(contextRoot = "/webservices-ws", urlPattern="/services/WSTwo/*", authMethod="BASIC", transportGuarantee="NONE", secureWSDLAccess=false)
| @SecurityDomain("wstwo")
| @RolesAllowed("friend")
In server/default/conf/login-config.xml on the remote machine I have added the "wstwo" application policy thus:
<application-policy name="wstwo">
| <authentication>
| <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
| flag="required">
| <module-option name="dsJndiName">java:/jdbc/WSTwoDS</module-option>
| <module-option name="principalsQuery">
| select pass from USERS where login=?
| </module-option>
| <module-option name="rolesQuery">
| select role,'Roles' from USER_ROLES where login=?
| </module-option>
| </login-module>
| </authentication>
| </application-policy>
And the data source for the web service is defined in the server/default/deploy/*-ds.xml file like this:
<local-tx-datasource>
| <jndi-name>jdbc/WSTwoDS</jndi-name>
| <connection-url>jdbc:mysql://IP_OF_MY_LOCALHOST:3306/security</connection-url>
| ...
| </local-tx-datasource>
And of course the tables as described in the application policy are defined on my local machine.
In the client I pass the username and password:
((BindingProvider)wstwo).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "user");
| ((BindingProvider)wstwo).getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "pass");
Does anyone have any idea about where I'm doing something wrong? Thank you!
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4162598#4162598
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4162598
16 years, 5 months
[JBossWS] - Re: ...Port does not contain operation meta data for: {http:
by helmutdoe
Hi,
if i disable encryption and only sign my requests all is don completly successfull without occuring any kind of errors. Last night i tried downgrading again and used JEMS Installer: http://www.jboss.org/jemsinstaller/downloads/. After i had patched the included jbossws stack from 2.0.1 -> 2.0.4 i get a new error which was allready discussed in this forum.
| [Reference] Verification failed for URI "#timestamp"
| 11:14:36,296 ERROR [WSSecurityDispatcher] Internal error occured handling inbound message:
| org.jboss.ws.extensions.security.exception.FailedCheckException: Signature is invalid.
| at org.jboss.ws.extensions.security.operation.SignatureVerificationOperation.process(SignatureVerificationOperation.java:65)
| at org.jboss.ws.extensions.security.SecurityDecoder.decode(SecurityDecoder.java:134)
|
|
Since i had downgraded from 3.0.2 to 2.0.4 disabeling timestamps
<sign .... includeTimestamp="false"/>
arent allwoed any more.
I cant imagine that everyone who implements Webservices using jbossws - stack donot use encryption. If someone got this allready working please post an example :).
BIG Thanks and i hope that helps you
timeagentess
Bye
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4162496#4162496
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4162496
16 years, 5 months