Skip to end of metadata
Go to start of metadata

Authentication

Here the simplest way to authenticate a web service user with JBossWS is explained.

First we secure the access to the SLSB as we would do for normal (non web service) invocations: this can be easily done through the @RolesAllowed, @PermitAll, @DenyAll annotation. The allowed user roles can be set with these annotations both on the bean class and on any of its business methods.

Similarly POJO endpoints are secured the same way as we do for normal web applications in web.xml:

Specify the security domain

Next, specify the security domain for this deployment. This is performed using the @SecurityDomain annotation for EJB3 endpoints

or modifying the jboss-web.xml for POJO endpoints

The security domain as well as its the authentication and authorization mechanisms are defined differently depending on the JBoss Application Server in use.

Use BindingProvider to set principal/credential

A web service client may use the javax.xml.ws.BindingProvider interface to set the username/password combination

Using HTTP Basic Auth for security

To enable HTTP Basic authentication you use the @WebContext annotation on the bean class

For POJO endpoints, we modify the web.xml adding the auth-method element:

JASPI Authentication

A Java Authentication SPI (JASPI) provider can be configured in WildFly security subsystem to authenticate SOAP messages:

For further information on configuring security domains in WildFly, please refer to here.

Here org.jboss.wsf.stack.cxf.jaspi.module.UsernameTokenServerAuthModule is the class implementing javax.security.auth.message.module.ServerAuthModule,  which delegates to the proper login module to perform authentication using the credentials from WS-Security UsernameToken in the incoming SOAP message. Alternative implementations of ServerAuthModule can be implemented and configured.

To enable JASPI authentication, the endpoint deployment needs to specify the security domain to use; that can be done in two different ways:

  • Setting the jaspi.security.domain property in the jboss-webservices.xml descriptor
  • Referencing (through @EndpointConfig annotation) an endpoint config that sets the jaspi.security.domain property

The jaspi.security.domain property is specified as follows in the referenced descriptor:

If the JASPI security domain is specified in both jboss-webservices.xml and config file referenced by @EndpointConfig annotation, the JASPI security domain specified in jboss-webservices.xml will take precedence. 
Labels:
None
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.