Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

11.4. Authentication

Read this section to learn how to authenticate a web service user using a number of available methods.

Procedure 11.1. Authenticate a Web Service User

The following procedure describes how to authenticate a web service user with JBossWS.

  1. Secure access to the Stateless Session Bean

    Secure access to the Stateless Session Bean (SLSB) using the @RolesAllowed, @PermitAll, @DenyAll annotations.
    The allowed user roles can be set with these annotations both on the bean class and on any of its business methods. 
    @Stateless
@RolesAllowed("friend")
public class EndpointEJB implements EndpointInterface
{
  ...
}
    Copy to Clipboard Toggle word wrap

  2. Secure POJO endpoints

    Secure Plain Old Java Object (POJO) endpoints by defining a <security-constraint> in the WEB-INF/web.xml file of the application. 
    <security-constraint>
  <web-resource-collection>
    <web-resource-name>All resources</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>friend</role-name>
  </auth-constraint>
</security-constraint>

<security-role>
  <role-name>friend</role-name>
</security-role>
    Copy to Clipboard Toggle word wrap

  3. Define the security domain

    Declare the security domain by appending the @SecurityDomain annotation 
    @Stateless
@SecurityDomain("JBossWS")
@RolesAllowed("friend")
public class EndpointEJB implements EndpointInterface
{
  ...
}
    Copy to Clipboard Toggle word wrap
    • You can also modify JBOSS_HOME/server/PROFILE/deploy/jbossws.sar/jboss-management.war/WEB-INF/jboss-web.xml and specify the security domain. 
      <jboss-web>
  <security-domain>JBossWS</security-domain>
</jboss-web>
      Copy to Clipboard Toggle word wrap

    Note

    For more information about Security Domains, refer to the JBoss Security Guide.

  4. Define the security context

    Configure the security context in the JBOSS_HOME/server/PROFILE/conf/login-config.xml file. 
    <!-- 
    A template configuration for the JBossWS security domain.
    This defaults to the UsersRolesLoginModule the same as other and should be
    changed to a stronger authentication mechanism as required.
-->
<application-policy name="JBossWS">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
      <module-option name="usersProperties">props/jbossws-users.properties</module-option>
      <module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
      <module-option name="unauthenticatedIdentity">anonymous</module-option>
    </login-module>
  </authentication>
</application-policy>
    Copy to Clipboard Toggle word wrap

    Note

    The default UsersRolesLoginModule should be changed to another login module that offers security suitable for your enterprise deployment. Refer to the JBoss Security Guide for more information about the available login modules, and how you can create your own custom login module.
A web service client can use the javax.xml.ws.BindingProvider interface to set the username and password combination.

Example 11.1. BindingProvider Configuration

URL wsdlURL = new File("resources/jaxws/samples/context/WEB-INF/wsdl/TestEndpoint.wsdl").toURL();
QName qname = new QName("http://org.jboss.ws/jaxws/context", "TestEndpointService");
Service service = Service.create(wsdlURL, qname);
port = (TestEndpoint)service.getPort(TestEndpoint.class);
 
BindingProvider bp = (BindingProvider)port;
bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "jsmith");
bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "PaSSw0rd");
Copy to Clipboard Toggle word wrap
HTTP Basic Authentication

You can enable HTTP Basic Authentication by using the @WebContext annotation on the bean class, or by appending an <auth-method> element to the JBOSS_HOME/server/PROFILE/deploy/jbossws.sar/jboss-management.war/WEB-INF/jboss-web.xml <login-config> element.

Example 11.2. @WebContext HTTP Basic Authentication

@Stateless
@SecurityDomain("JBossWS")
@RolesAllowed("friend")
@WebContext(contextRoot="/my-cxt", urlPattern="/*", authMethod="BASIC", transportGuarantee="NONE", secureWSDLAccess=false)
public class EndpointEJB implements EndpointInterface
{
  ...
}
Copy to Clipboard Toggle word wrap

Example 11.3. jboss-web.xml HTTP Basic Authentication

<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>Test Realm</realm-name>
</login-config>
Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat