8.21.2.8. POJO Endpoint Authentication and Authorization

The credentials obtained by WS-Security are generally used for EJB endpoints, or for POJO endpoints when they make a call to another secured resource. It is now possible to enable authentication and authorization checking for POJO endpoints.

Important

Authentication and Authorization should not be enabled for EJB based endpoints because the EJB container handles the security requirements of the deployed bean.

Procedure 8.1. Enabling POJO Authentication and Authorization

This procedure describes the additional configuration required to enable authentication and authorization for POJO endpoints.

  1. Define Security Domain in Web Archive

    You must define a security domain in the WAR containing the POJO.
    Specify a <security-domain> in the jboss-web deployment descriptor within the /WEB-INF folder. 
    <jboss-web>
  <security-domain>java:/jaas/JBossWS</security-domain>
</jboss-web>

  2. Configure the jboss-wsse-server.xml <authorize> element

    Specify an <authorize> element within the <config> element.
    The <config> element can be defined globally, be port-specific, or operation-specific.
    The <authorize> element must contain either the <unchecked/> element or one or more <role> elements. Each <role> element must contain the name of a valid RoleName.
    You can choose to implement two types of authentication: unchecked, and role-based authentication.
    Unchecked Authentication
    The authentication step is performed to validate the user's username and password, but no further role checking takes place. If the user's username and password are invalid, the request is rejected.

    Example 8.9. Unchecked Authentication

    <jboss-ws-security>
  
  <config>
    <authorize>      
      <unchecked/>
    </authorize>
  </config>
  
</jboss-ws-security>

    Role-based Authentication
    The user is authenticated using their username and password as per Unchecked Authentication. Once the user's username and password is verified, user credentials are checked again to ensure at least of of the roles specified in the <role> element is assigned to the user.

    Note

    Authentication and authorization proceeds even if no username and password, or certificate was provided in the request message. In this scenario, authentication may proceed if the security domain's login module has been configured with an anonymous identity.

    Example 8.10. Role-based Authentication

    <jboss-ws-security>
  
  <config>
    <authorize>      
      <role>friend</role>
      <role>family</role>
    </authorize>
  </config>
  
</jboss-ws-security>