aspose file tools*
The moose likes JBoss/WildFly and the fly likes How can I secure a web service? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "How can I secure a web service?" Watch "How can I secure a web service?" New topic
Author

How can I secure a web service?

Steve Vittoria
Ranch Hand

Joined: Jan 12, 2005
Posts: 33

Hi everyone!

I am new to web services , i have developed a small web service using jax-ws and i want clients of this web service to send user name and password in each soap message they send to my service , so how can i do that with https and basic authentication , is it the same as securing any web page or does it require any addiational stuff that i should know about .

thank you

I developed a small web service and I want the clients of this web service to send user name and password each time they access my web service. I'm not looking to encrypt the call (maybe in the future I will).

Here is an example of my web service...


I have a test client that accesses the web service, and effectly I get the following error, "The server sent HTTP status code 401: Unauthorized"

here is my client code...


I've been reading on the web about securing web services in JBoss, and I'm confused as to what I must do. I keep see that I need to add some stuff to web.xml, other sites I read mention jboss-web.xml. Where are these files located what do I have to add to these files? Also what do I need to do on the client side to access my secure web service?

My web service is running on JBoss 4.3.0.

Thanks!
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5836
    
    7

Go to the JBoss in Action web site (link below) and grab the free chapter 9. That has everything you need to know about configuring web services. Even though the book is specific to AS 5.x, AS 4.x uses the same web services code (the versions are different but the configuration is the same). There is a whole section on securing web services.


JBoss In Action
Steve Vittoria
Ranch Hand

Joined: Jan 12, 2005
Posts: 33

Hi Peter, thanks for the reply.

I have read that chapter but I'm still confused as to what I need to do to secure my EJB web service. As I mentioned earlier, I've gotten to the point where my web service is secure (thanks to the info I got in the JBoss in Action book), I even secured the WSDL file using the following lines of code...



So now even when I try to view the WSDL file, I get prompted for a user name and password. My question is, where do I assign this user name and password in JBoss? Reading on the web I keep seeing various articles mention xml files such as web.xml, jbossws.xml and ejb-jar.xml. Do I add the user name and password to one of these files? Keep in mind my web service is an EJB and not a web application so I don't have a web.xml or jbossws.xml, so where do I add the user name and password?
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5836
    
    7

Steve wrote: My question is, where do I assign this user name and password in JBoss?

JBoss in Action, pg 252, Securing the EJB Web Service wrote: Finally, the value element of the @SecurityDomain annotation identifies the
name of the login module used (3).

The login module determines where and how the username and password are specified within JBoss AS. The example in the book uses properties files in server/xxx/conf/props. So what is the definition of PatientDemoWS in login-config.xml?
Steve Vittoria
Ranch Hand

Joined: Jan 12, 2005
Posts: 33

Thanks for all your help Peter, I finally got it working!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How can I secure a web service?