11.4. Authentication
Read this section to learn how to authenticate a web service user using a number of available methods.
Procedure 11.1. Authenticate a Web Service User
The following procedure describes how to authenticate a web service user with JBossWS.
Secure access to the Stateless Session Bean
Secure access to the Stateless Session Bean (SLSB) using the@RolesAllowed,@PermitAll,@DenyAllannotations.The allowed user roles can be set with these annotations both on the bean class and on any of its business methods.@Stateless @RolesAllowed("friend") public class EndpointEJB implements EndpointInterface { ... }Secure POJO endpoints
Secure Plain Old Java Object (POJO) endpoints by defining a <security-constraint> in theWEB-INF/web.xmlfile of the application.<security-constraint> <web-resource-collection> <web-resource-name>All resources</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>friend</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>friend</role-name> </security-role>Define the security domain
Declare the security domain by appending the @SecurityDomain annotation@Stateless @SecurityDomain("JBossWS") @RolesAllowed("friend") public class EndpointEJB implements EndpointInterface { ... }- You can also modify
JBOSS_HOME/server/PROFILE/deploy/jbossws.sar/jboss-management.war/WEB-INF/jboss-web.xmland specify the security domain.<jboss-web> <security-domain>JBossWS</security-domain> </jboss-web>
Note
For more information about Security Domains, refer to the JBoss Security Guide.Define the security context
Configure the security context in theJBOSS_HOME/server/PROFILE/conf/login-config.xmlfile.<!-- A template configuration for the JBossWS security domain. This defaults to the UsersRolesLoginModule the same as other and should be changed to a stronger authentication mechanism as required. --> <application-policy name="JBossWS"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="usersProperties">props/jbossws-users.properties</module-option> <module-option name="rolesProperties">props/jbossws-roles.properties</module-option> <module-option name="unauthenticatedIdentity">anonymous</module-option> </login-module> </authentication> </application-policy>Note
The defaultUsersRolesLoginModuleshould be changed to another login module that offers security suitable for your enterprise deployment. Refer to the JBoss Security Guide for more information about the available login modules, and how you can create your own custom login module.
A web service client can use the
javax.xml.ws.BindingProvider interface to set the username and password combination.
Example 11.1. BindingProvider Configuration
URL wsdlURL = new File("resources/jaxws/samples/context/WEB-INF/wsdl/TestEndpoint.wsdl").toURL();
QName qname = new QName("http://org.jboss.ws/jaxws/context", "TestEndpointService");
Service service = Service.create(wsdlURL, qname);
port = (TestEndpoint)service.getPort(TestEndpoint.class);
BindingProvider bp = (BindingProvider)port;
bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "jsmith");
bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "PaSSw0rd");HTTP Basic Authentication
You can enable HTTP Basic Authentication by using the @WebContext annotation on the bean class, or by appending an <auth-method> element to the JBOSS_HOME/server/PROFILE/deploy/jbossws.sar/jboss-management.war/WEB-INF/jboss-web.xml <login-config> element.
Example 11.2. @WebContext HTTP Basic Authentication
@Stateless
@SecurityDomain("JBossWS")
@RolesAllowed("friend")
@WebContext(contextRoot="/my-cxt", urlPattern="/*", authMethod="BASIC", transportGuarantee="NONE", secureWSDLAccess=false)
public class EndpointEJB implements EndpointInterface
{
...
}Example 11.3. jboss-web.xml HTTP Basic Authentication
<login-config> <auth-method>BASIC</auth-method> <realm-name>Test Realm</realm-name> </login-config>
