File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Tomcat and the fly likes security-constraint to exclude wsdl Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "security-constraint to exclude wsdl" Watch "security-constraint to exclude wsdl" New topic
Author

security-constraint to exclude wsdl

Hicham Bahi
Greenhorn

Joined: Aug 29, 2011
Posts: 2
I have a web application built using JAX-WS. I want to secure the application at the tomcat level but I would like to leave the WSDL unsecured because my clients need to be able to get it before calling the services. Is it possible to exclude only the wsdl URL from the security-constraint in web.xml? I tried the following but it doesn't work:



I believe the problem is that the <url-pattern> element does not allow URL parameters (i.e. such as "?wsdl"). If I remove the "?.wsdl" at the end of the URL (e.g. <url-pattern>/services/ACLService</url-pattern>) I can access the service (e.g. /services/ACLService) and the asscociated wsdl but that's not what I want: the service itself should be secured!

I'm afraid that what I'm trying to do is not possible. Can anyone confirm this?

Thanks

Hicham
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15950
    
  19

You are correct that parameters are not valid in pattern URLs.

While I am a big proponent of using the JEE container security system, I'm not sure that it's a good fit for web services. One of the problems is that a web services client might not be equipped to handle the login process presented by the container. In particular, I don't know that it's a good fit for RESTful services.

I probably would up the transport guarantee to get SSL/TLS transport, though.

Customer surveys are for companies who didn't pay proper attention to begin with.
 
 
subject: security-constraint to exclude wsdl
 
Similar Threads
JBOSS web logon not redirecting from port 8080 to 8443 at login
How to change response from Https to Http
How to change response from Https to Http
About the security and role in web.xml
Adding users and roles