Java Reference
In-Depth Information
Securing web services
Web service authorization can basically be carried out in two ways, depending on whether
we are dealing with a POJO-based web service or an EJB-based web service.
Security
changes to POJO web services are identical to those we introduced for servlets/JSP, con-
sistent in defining the
security-constraints
element in
web.xml
and the login
modules in
jboss-web.xml
.
If you are using a web client to access your web service, it is all you need to get authentic-
ated. If you are using a standalone client, you will need to specify the credentials in the
JAX-WS Factory. The following is an example of how to access the secured
Calcu-
to Your Applications
:
JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
factory.getInInterceptors().add(new LoggingInInterceptor());
factory.getOutInterceptors().add(new
LoggingOutInterceptor());
factory.setServiceClass(CalculatePowerWebService.class);
factory.setAddress("http://localhost:8080/pojoService");
factory.setUsername("admin");
factory.setPassword("admin");
CalculatePowerWebService client =
(CalculatePowerWebService) factory.create();
What about EJB-based web services? The configuration is slightly different; since the se-
curity domain is not specified in web descriptors, we have to provide it by means of an-
notations:
@Stateless
@WebService(targetNamespace = "http://www.packtpub.com/",
serviceName = "TicketWebService")
@WebContext(authMethod = "BASIC",
secureWSDLAccess = false)
@SecurityDomain(value = "dbdomain")
@RolesAllowed("Manager")
public class TicketSOAPService implements
