Skip to end of metadata
Go to start of metadata




Perform authentication for POJO based webservices.

Example Usage:

Assume that you have a POJO.

Note the use of the @HandlerChain annotation that defines the handler xml.

The handler xml is authorize-handlers.xml. 

Note: The order of execution of the handlers is SAML2Handler, WSAuthenticationHandler and WSAuthorizationHandler.  These need to be defined in reverse order in the xml.

Since we intend to expose a POJO as a webservice, we need to package in a web archive (war). 

The web.xml is:

Please do not define any <security-constraint> in the web.xml

The jboss-web.xml is:

The jboss-wsse.xml is

As you can see, there are two operations defined on the POJO web services and each of these operations require different access control. The echoUnchecked() method allows free access to any authenticated user whereas the echo() method requires the caller to have "JBossAdmin" role.

The war should look as:

The Test Case is something like:

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
  1. Aug 27, 2012

    Hi, I followed the instructions for securing my web service with  WSAuthorizationHandler and WSAuthorizationHandler, after deployed the application into EAP 6.0 (JBoss 7.1.2),  the unit test execution has the following error:

    Here's the security domain configured in standalone.xml for my application:


    Is there any additional configuration that needs to be added? Thanks!

    1. Sep 03, 2012


          You're not missing anything. Those handlers will be available for AS7/EAP6 with the 2.1.5.Final version. 

          We'll release this version this week.

      Pedro Igor

    2. Sep 04, 2012

      Hi Wei,

          Can you try that now with Timed Release 2012-Aug-24.

      Best regards.
      Pedro Igor