[jbossws-users] [JBossWS] - Re: WSSE UsernameToken without HTTP basic auth?

JBoss webservices stack supports variety of endpoint deployment models: 1. Simple JDK5 POJOs that are wrapped in a war file. 2. EJB3 endpoints that are wrapped in a ejb jar file. 3. Servlet endpoints wrapped in a war file. 4. EJB2.1 endpoints using jar archive. Now for the Servlet/POJO model endpoints the endpoints are secured for authentication using JAAS or any other means that is supported by Servlet specification. For EJB style endpoints the EJBs are secured for authentication according to the EJB2.1 or EJB3 specifications. Please read our UserGuide for more information http://jbws.dyndns.org/mediawiki/index.php?title=JAX-WS_User_Guide#WS-Sec... Basically Security on endpoints is done as above, and HTTP is a transport mechanism used to send your messages. It can be HTTP/HTTPS or whatever methodology you want to choose as. When you use HTTP the SOAP message is wrapped or sent across the wire using HTTP protocol. By default when you send in the credentials: | reqContext.put(BindingProvider.USERNAME_PROPERTY, "kermit"); | reqContext.put(BindingProvider.PASSWORD_PROPERTY, "thefrog"); | the default authorization mechanism that is set from the client is AUTH_TYPE_BASIC. See org.jboss.ws.core.client.RemotingConnectionImpl | // Get authentication type, default to BASIC authetication | String authType = (String)callProps.get(StubExt.PROPERTY_AUTH_TYPE); | if (authType == null) | authType = StubExt.PROPERTY_AUTH_TYPE_BASIC; | When it reaches the service endpoint in the server, this message is unwrapped from the HTTP or whatever protocol/transport mechanism you used and then supplied to the service endpoint after re-creating the SOAPMessage. The Username token sent in the SOAP Message is the one used by the endpoint server/stack to authenticate the user who is performing this request. This is called MessageLevel Security as defined by UsernameToken profile. If you see, Servlet endpoints can be configured with only basic or digest as per the specs of their deployment model. So setting AUTH_TYPE_WSSE is not and will not be applicable to the servlet deployment model unless you write your own customized implementation for it. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4120345#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...