This page explains the simplest way to authenticate a web service user with JBossWS.
First we secure the access to the SLSB as we would do for normal (non web service) invocations: this can be easily done through the @RolesAllowed, @PermitAll, @DenyAll annotation. The allowed user roles can be set with these annotations both on the bean class and on any of its business methods.
Similarly POJO endpoints are secured the same way as we do for normal web applications in web.xml:
Next, specify the security domain for this deployment. This is performed using the @SecurityDomain annotation for EJB3 endpoints
or modifying the jboss-web.xml for POJO endpoints
The security domain as well as its the authentication and authorization mechanisms are defined differently depending on the application server version in use.
A web service client may use the javax.xml.ws.BindingProvider interface to set the username/password combination
To enable HTTP Basic authentication you use the @WebContext annotation on the bean class
For POJO endpoints, we modify the web.xml adding the auth-method element: