Java Reference
In-Depth Information
Securing web services
Web service authorization can basically be carried out in two ways, depending on whether
we are dealing with a POJO-based web service or an EJB-based web service. Security
changes to POJO web services are identical to those we introduced for servlets/JSP, con-
sistent in defining the security-constraints element in web.xml and the login
modules in jboss-web.xml .
If you are using a web client to access your web service, it is all you need to get authentic-
ated. If you are using a standalone client, you will need to specify the credentials in the
JAX-WS Factory. The following is an example of how to access the secured Calcu-
latePowerService instance, which was described in Chapter 7 , Adding Web Services
to Your Applications :
JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
factory.getInInterceptors().add(new LoggingInInterceptor());
CalculatePowerWebService client =
(CalculatePowerWebService) factory.create();
What about EJB-based web services? The configuration is slightly different; since the se-
curity domain is not specified in web descriptors, we have to provide it by means of an-
@WebService(targetNamespace = "",
serviceName = "TicketWebService")
@WebContext(authMethod = "BASIC",
secureWSDLAccess = false)
@SecurityDomain(value = "dbdomain")
public class TicketSOAPService implements
Search WWH ::

Custom Search