1

I want to build a simple example webservice that is protected by username and password.

As a starting point I used: https://docs.jboss.org/author/display/JBWS/WS-Security

The problem: every client even with wrong or missing credentials can invoke the web service methods. So the @EndpointConfig seems to have no effect. But I don't know how to dig deeper because I couldn't get more detailed information about the web service config by debugging and the jboss admin console.

Webservice class:

@WebService(serviceName="MyWebService", portName="MyWebServicePort")
@EndpointConfig(configFile = "WEB-INF/jaxws-endpoint-config.xml", configName = "myconfig")
public class MyWebService{...}

jaxws-endpoint-config.xml:

<?xml version="1.0" encoding="UTF-8"?>
<jaxws-config xmlns="urn:jboss:jbossws-jaxws-config:4.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:javaee="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-jaxws-config_4_0.xsd">
  <endpoint-config>
    <config-name>myconfig</config-name>
    <property>
      <property-name>ws-security.username</property-name>
      <property-value>myusername</property-value>
    </property>
    <property>
      <property-name>ws-security.password</property-name>
      <property-value>mypassword</property-value>
    </property>
  </endpoint-config>
</jaxws-config>

Any suggestion to get unauthorized clients denied?

syr
  • 836
  • 1
  • 12
  • 28

1 Answers1

1

You basically need to publish your policy in your WSDL.

You have to add under binding section of your WSDL.

<binding name="SecurityServicePortBinding" type="tns:ServiceIface">
<wsp:PolicyReference URI="#SecurityServiceSignThenEncryptPolicy"/>
...
</binding>

And add the policy definition itself in your WSDL like. 

<wsp:Policy wsu:Id="SecurityServiceSignThenEncryptPolicy" xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
 <wsp:ExactlyOne>
   <wsp:All>
    <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   ....
 </wsp:ExactlyOne>
</wsp:Policy>

When you hit your service URL (e.g. http://localhost:8080/yourservice?wsdl), you should be able to see the policy reference in the returned WSDL. Otherwise, no authentication/encryption happens.

slbb
  • 144
  • 1
  • 6