Perform authentication for POJO based webservices.
Assume that you have a POJO.
Note the use of the @HandlerChain annotation that defines the handler xml.
The handler xml is authorize-handlers.xml.
|Note: The order of execution of the handlers is SAML2Handler, WSAuthenticationHandler and WSAuthorizationHandler. These need to be defined in reverse order in the xml.|
Since we intend to expose a POJO as a webservice, we need to package in a web archive (war).
The web.xml is:
|Please do not define any <security-constraint> in the web.xml|
The jboss-web.xml is:
The jboss-wsse.xml is
As you can see, there are two operations defined on the POJO web services and each of these operations require different access control. The echoUnchecked() method allows free access to any authenticated user whereas the echo() method requires the caller to have "JBossAdmin" role.
The war should look as:
The Test Case is something like: