[jboss-user] [JBossWS] - Unscuring wsdl definition

tremalnaik do-not-reply at jboss.com
Tue Feb 6 07:47:13 EST 2007

Hello, I'm using jboss 4.0.2

I have deployed a simple web service, trying now to secure it. I added the following definitions in the web.xml

  |   <security-constraint>
  |     <web-resource-collection>
  |       <web-resource-name>Protected service</web-resource-name>
  |       <description>no description</description>
  | 	  <url-pattern>/TestService</url-pattern>
  |     </web-resource-collection>
  |     <auth-constraint>
  |       <role-name>BITAStarUser</role-name>
  |     </auth-constraint>
  |     <user-data-constraint>
  |       <transport-guarantee>NONE</transport-guarantee>
  |     </user-data-constraint>
  |   </security-constraint>
  |   <login-config>
  |     <auth-method>BASIC</auth-method>
  |   </login-config>
  |   <security-role>
  |     <description>Intranet Bita Star user</description>
  |     <role-name>BITAStarUser</role-name>
  |   </security-role>

It protects all request matching /TestService, but it means that it protects the page /TestService?wsdl i.e. the wsdl file as well.

I'd like to avoid this, otherwise my simple test client will get a 401 error:

  | String urlstr = "https://cor319:8443/BitaStarWebServices/TestService?wsdl";
  | String argument = "claves";
  | System.out.println("Contacting webservice at " + urlstr);
  | URL url = new URL(urlstr);
  | QName qname = new QName("https://ws.web.bitastar.bitaplus.com/", "TestService");
  | ServiceFactory factory = ServiceFactory.newInstance();
  | Service service = factory.createService(url, qname);
  | WebServicesTestInt wst = (WebServicesTestInt) service.getPort(WebServicesTestInt.class);

Server returned HTTP response code: 401 for URL: https://cor319.cor-fs.com:8443/BitaStarWebServices/TestService?wsdl

I gave a look to the famous cap 13 of the Jboss WS guide on securing the endpoints, but it looks it's doing something too much for me: I don't need to define ejbs. I'm using a Jaas module configured in login-config.xml and jboss-web.xml looks like:

  | <?xml version="1.0" encoding="UTF-8"?>
  | <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">
  | <jboss-web>
  |   <security-domain>java:/jaas/bitastarRealm</security-domain>
  | </jboss-web>

do you have any suggestions? Do you think what I'm doing has some sense? Can you point me to the right resources, please?

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4011873#4011873

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4011873

More information about the jboss-user mailing list