[jboss-user] [JBossWS] - Web Service URL pattern

karypid do-not-reply at jboss.com
Wed Jul 30 11:18:49 EDT 2008 

Hello,

I have a war file that publishes a POJO web service in JBoss (using the native stack in JBoss AS 4.2.2, which is probably JBossWS 2.0.1). I am trying to restrict access to the web service to authenticated users only. Adding a security-constraint in the deployment descriptor of the war with the * (asterisk) wild-character gets the job done. However, it also restricts access to the auto-generated WSDL published by JBoss.

This is because JBoss publishes the WSDL under the servlet prefix, adding a ?wsdl parameter. For instance:
	<servlet>
  | 		<servlet-name>MyTestWS</servlet-name>
  | 		<servlet-class>...servlet-class>
  | 	</servlet>
  | 	<servlet-mapping>
  | 		<servlet-name>MyTestWS</servlet-name>
  | 		<url-pattern>/MyTestWS</url-pattern>
  | 	</servlet-mapping>
  | 	<security-constraint>
  | 		<web-resource-collection>
  | 			<web-resource-name>...</web-resource-name>
  | 			<url-pattern>/MyTestWS/*</url-pattern>
  | 		</web-resource-collection>
  |                ...
  |        </security-constraint>

The above causes the web service to be published under:
http://localhost:8080/MyTestWS
and the WSDL is published under
http://localhost:8080/MyTestWS?wsdl

As a result, clients that try to access the stub generated with wsimport have a problem accessing the WSDL and fail. I need to keep a copy of the WSDL on the client for things to work as follows:

		URL wsdlURL = Launcher.class.getResource("MyTestWS.wsdl");
  | //		URL wsdlURL = new URL("http://localhost:8080/MyTestWS?wsdl"); // does not work 
  | 		QName serviceName = new QName("...",
  | 				"...");
  | 		MyTestWSService rss = new MyTestWSService(wsdlURL,
  | 				serviceName);
  | 		MyTestWS rs = rss.getMyTestWSPort();
  | 
  | 		BindingProvider bp = (BindingProvider) rs;
  | 		bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY,
  | 				"xxx");
  | 		bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY,
  | 				"yyy");
  | 
  | 		String t = rs.secureHello();
The client is able to log in and access the MyTestWS web service when using a local copy of the WSDL only. How can I avoid this? I would like to have the client access the WSDL from the server. I need a way to either:

1) publish the WSDL in another URL
2) restrict access to the web service URL but put an exception for URL?wsdl
3) set the login credentials earlier (as I do with BindingProvider) so that the WSDL can be accessed to construct the stub.

I don't know how to do any of the above....



View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4167649#4167649

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4167649

More information about the jboss-user mailing list