I want to build a simple example webservice that is protected by username and password.
As a starting point I used: https://docs.jboss.org/author/display/JBWS/WS-Security
The problem: every client even with wrong or missing credentials can invoke the web service methods. So the @EndpointConfig seems to have no effect. But I don't know how to dig deeper because I couldn't get more detailed information about the web service config by debugging and the jboss admin console.
Webservice class:
@WebService(serviceName="MyWebService", portName="MyWebServicePort")
@EndpointConfig(configFile = "WEB-INF/jaxws-endpoint-config.xml", configName = "myconfig")
public class MyWebService{...}
jaxws-endpoint-config.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jaxws-config xmlns="urn:jboss:jbossws-jaxws-config:4.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:javaee="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-jaxws-config_4_0.xsd">
<endpoint-config>
<config-name>myconfig</config-name>
<property>
<property-name>ws-security.username</property-name>
<property-value>myusername</property-value>
</property>
<property>
<property-name>ws-security.password</property-name>
<property-value>mypassword</property-value>
</property>
</endpoint-config>
</jaxws-config>
Any suggestion to get unauthorized clients denied?