11.4. Authentication
Procedure 11.1. Authenticate a Web Service User
Secure access to the Stateless Session Bean
Secure access to the Stateless Session Bean (SLSB) using the@RolesAllowed
,@PermitAll
,@DenyAll
annotations.The allowed user roles can be set with these annotations both on the bean class and on any of its business methods.@Stateless @RolesAllowed("friend") public class EndpointEJB implements EndpointInterface { ... }
Secure POJO endpoints
Secure Plain Old Java Object (POJO) endpoints by defining a <security-constraint> in theWEB-INF/web.xml
file of the application.<security-constraint> <web-resource-collection> <web-resource-name>All resources</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>friend</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>friend</role-name> </security-role>
Define the security domain
Declare the security domain by appending the @SecurityDomain annotation@Stateless @SecurityDomain("JBossWS") @RolesAllowed("friend") public class EndpointEJB implements EndpointInterface { ... }
- You can also modify
JBOSS_HOME/server/PROFILE/deploy/jbossws.sar/jboss-management.war/WEB-INF/jboss-web.xml
and specify the security domain.<jboss-web> <security-domain>JBossWS</security-domain> </jboss-web>
Note
For more information about Security Domains, refer to the JBoss Security Guide.Define the security context
Configure the security context in theJBOSS_HOME/server/PROFILE/conf/login-config.xml
file.<!-- A template configuration for the JBossWS security domain. This defaults to the UsersRolesLoginModule the same as other and should be changed to a stronger authentication mechanism as required. --> <application-policy name="JBossWS"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="usersProperties">props/jbossws-users.properties</module-option> <module-option name="rolesProperties">props/jbossws-roles.properties</module-option> <module-option name="unauthenticatedIdentity">anonymous</module-option> </login-module> </authentication> </application-policy>
Note
The defaultUsersRolesLoginModule
should be changed to another login module that offers security suitable for your enterprise deployment. Refer to the JBoss Security Guide for more information about the available login modules, and how you can create your own custom login module.
javax.xml.ws.BindingProvider
interface to set the username and password combination.
Example 11.1. BindingProvider Configuration
URL wsdlURL = new File("resources/jaxws/samples/context/WEB-INF/wsdl/TestEndpoint.wsdl").toURL(); QName qname = new QName("http://org.jboss.ws/jaxws/context", "TestEndpointService"); Service service = Service.create(wsdlURL, qname); port = (TestEndpoint)service.getPort(TestEndpoint.class); BindingProvider bp = (BindingProvider)port; bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "jsmith"); bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "PaSSw0rd");
You can enable HTTP Basic Authentication by using the @WebContext annotation on the bean class, or by appending an <auth-method> element to the JBOSS_HOME/server/PROFILE/deploy/jbossws.sar/jboss-management.war/WEB-INF/jboss-web.xml
<login-config> element.
Example 11.2. @WebContext HTTP Basic Authentication
@Stateless @SecurityDomain("JBossWS") @RolesAllowed("friend") @WebContext(contextRoot="/my-cxt", urlPattern="/*", authMethod="BASIC", transportGuarantee="NONE", secureWSDLAccess=false) public class EndpointEJB implements EndpointInterface { ... }
Example 11.3. jboss-web.xml HTTP Basic Authentication
<login-config> <auth-method>BASIC</auth-method> <realm-name>Test Realm</realm-name> </login-config>