10.20. Further HTTP Gateway Security

To force an end-point to use a log-in, utilise the <protected-methods> and <allowed-roles> sections of a <http-bus> configuration file:
<http-bus busid="secureSalesDeletes">
    <allowed-roles>
        <role name="friend" />
    </allowed-roles>
    <protected-methods>
        <method name="DELETE" />
    </protected-methods>
</http-bus>
The above configuration stipulates that a valid "friend" log-in is required for delete requests made on the "secureSalesDeletes" bus.
  The following log-in matrix tries to illustrate which configurations will enforce a log-in, and when.

Table 10.15. 

Methods Specified Roles Specified Log-in Required
No
No
No
No
Yes
For All Methods
Yes
Yes
For Specified Methods Only
Yes
No
No. Specified methods blocked to all.

Configure the authentication method and security domain from within the <war-security> configuration's <globals> element:
<http-provider name="http">
    <http-bus busid="secureFriends">
        <allowed-roles>
            <role name="friend" />
        </allowed-roles>
        <protected-methods>
            <method name="DELETE" />
        </protected-methods>
    </http-bus>

    <auth method="BASIC" domain="java:/jaas/JBossWS" />
</http-provider>
The method attribute can be one of "BASIC" (default), "CLIENT-CERT" or "DIGEST".
You can configure the HTTP Transport Guarantee on a per http-bus basis by specifying it on the bus using the "transportGuarantee" attribute.
<http-bus busid="secureFriends" transportGuarantee="CONFIDENTIAL">
    <!-- etc etc -->
</http-bus>
The valid values for transportGuarantee are "CONFIDENTIAL", "INTEGRAL" and "NONE".