Here the simplest way to authenticate a web service user with JBossWS is explained.
First we secure the access to the SLSB as we would do for normal (non web service) invocations: this can be easily done through the @RolesAllowed, @PermitAll, @DenyAll annotation. The allowed user roles can be set with these annotations both on the bean class and on any of its business methods.
Similarly POJO endpoints are secured the same way as we do for normal web applications in web.xml:
Next, specify the security domain for this deployment. This is performed using the @SecurityDomain annotation for EJB3 endpoints
or modifying the jboss-web.xml for POJO endpoints
The security domain as well as its the authentication and authorization mechanisms are defined differently depending on the JBoss Application Server in use.
A web service client may use the javax.xml.ws.BindingProvider interface to set the username/password combination
To enable HTTP Basic authentication you use the @WebContext annotation on the bean class
For POJO endpoints, we modify the web.xml adding the auth-method element:
A Java Authentication SPI (JASPI) provider can be configured in WildFly security subsystem to authenticate SOAP messages:
|For further information on configuring security domains in WildFly, please refer to here.|
Here org.jboss.wsf.stack.cxf.jaspi.module.UsernameTokenServerAuthModule is the class implementing javax.security.auth.message.module.ServerAuthModule, which delegates to the proper login module to perform authentication using the credentials from WS-Security UsernameToken in the incoming SOAP message. Alternative implementations of ServerAuthModule can be implemented and configured.
To enable JASPI authentication, the endpoint deployment needs to specify the security domain to use; that can be done in two different ways:
- Setting the jaspi.security.domain property in the jboss-webservices.xml descriptor
- Referencing (through @EndpointConfig annotation) an endpoint config that sets the jaspi.security.domain property
The jaspi.security.domain property is specified as follows in the referenced descriptor:
|If the JASPI security domain is specified in both jboss-webservices.xml and config file referenced by @EndpointConfig annotation, the JASPI security domain specified in jboss-webservices.xml will take precedence.|