11.4. Authentication

Read this section to learn how to authenticate a web service user using a number of available methods.

Task: Authenticate a Web Service User

Task Summary

The following procedure describes how to authenticate a web service user with JBossWS.

  1. Secure access to the Stateless Session Bean

    Secure access to the Stateless Session Bean (SLSB) using the @RolesAllowed, @PermitAll, @DenyAll annotations.
    The allowed user roles can be set with these annotations both on the bean class and on any of its business methods. 
    @Stateless
@RolesAllowed("friend")
public class EndpointEJB implements EndpointInterface
{
  ...
}

  2. Secure POJO endpoints

    Secure Plain Old Java Object (POJO) endpoints by defining a <security-constraint> in the WEB-INF/web.xml file of the application. 
    <security-constraint>
  <web-resource-collection>
    <web-resource-name>All resources</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>friend</role-name>
  </auth-constraint>
</security-constraint>

<security-role>
  <role-name>friend</role-name>
</security-role>

  3. Define the security domain

    Declare the security domain by appending the @SecurityDomain annotation 
    @Stateless
@SecurityDomain("JBossWS")
@RolesAllowed("friend")
public class EndpointEJB implements EndpointInterface
{
  ...
}
    • You can also modify JBOSS_HOME/server/PROFILE/deploy/jbossws.sar/jboss-management.war/WEB-INF/jboss-web.xml and specify the security domain. 
      <jboss-web>
  <security-domain>JBossWS</security-domain>
</jboss-web>

    Note

    For more information about Security Domains, refer to the JBoss Security Guide.

  4. Define the security context

    Configure the security context in the JBOSS_HOME/server/PROFILE/conf/login-config.xml file. 
    <!-- 
    A template configuration for the JBossWS security domain.
    This defaults to the UsersRolesLoginModule the same as other and should be
    changed to a stronger authentication mechanism as required.
-->
<application-policy name="JBossWS">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
      <module-option name="usersProperties">props/jbossws-users.properties</module-option>
      <module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
      <module-option name="unauthenticatedIdentity">anonymous</module-option>
    </login-module>
  </authentication>
</application-policy>

    Note

    The default UsersRolesLoginModule should be changed to another login module that offers security suitable for your enterprise deployment. Follow Task: Enable LDAP Authentication for steps to use the LdapLoginModule to control user authentication.

Task: Enable LDAP Authentication

Task Summary

Follow this task to configure Lightweight Directory Access Protocol (LDAP) authentication for a JBossWS application. You use the LdapLoginModule as described in the JBoss Security Guide.
The initial configuration is the same as Task: Authenticate a Web Service User, with the exception that you must specify the correct login module, and make minor changes to the <security-constraint> block in the application's META-INF/web.xml file.

  1. Secure access to the Stateless Session Bean

    Secure access to the Stateless Session Bean (SLSB) using the @RolesAllowed, @PermitAll, @DenyAll annotations.
    The allowed user roles can be set with these annotations both on the bean class and on any of its business methods. 
    @Stateless
@RolesAllowed("friend")
public class EndpointEJB implements EndpointInterface
{
  ...
}

  2. Secure POJO endpoints

    Secure Plain Old Java Object (POJO) endpoints by defining a <security-constraint> in the WEB-INF/web.xml file of the application.
    The <auth-constraint> <role-name> element specifies whether authentication is mandatory. It can be set to "not required" by specifying an asterix (*) value in the <role-name> element. 
  3. <security-constraint>
  <web-resource-collection>
    <web-resource-name>All resources</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>*</role-name>
  </auth-constraint>
</security-constraint>

<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>JbossWS</realm-name>
</login-config>

    Note

    For more information about valid <auth-method> values, refer to the Web Content Security Constraints section of the JBoss Security Guide.

  4. Define the security domain

    Declare the security domain by appending the @SecurityDomain annotation 
    @Stateless
@SecurityDomain("JBossWS")
@RolesAllowed("friend")
public class EndpointEJB implements EndpointInterface
{
  ...
}
    • You can also modify JBOSS_HOME/server/PROFILE/deploy/jbossws.sar/jboss-management.war/WEB-INF/jboss-web.xml and specify the security domain. 
      <jboss-web>
  <security-domain>JBossWS</security-domain>
</jboss-web>

    Note

    For more information about Security Domains, refer to the JBoss Security Guide.

  5. Define the security context

    Configure the security context in the JBOSS_HOME/server/PROFILE/conf/login-config.xml file. 
    <!-- 
    A template configuration for the JBossWS security domain.
    This defaults to the UsersRolesLoginModule the same as other and should be
    changed to a stronger authentication mechanism as required.
-->
<application-policy name="JBossWS">
   <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
flag="required">
         <module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory
         </module-option>
         <module-option name="java.naming.provider.url">
ldap://ldaphost.jboss.org:1389/
         </module-option>
         <module-option name="java.naming.security.authentication">
simple
         </module-option>
         <module-option name="principalDNPrefix">uid=</module-option>                <module-option name="principalDNSuffix">
,ou=People,dc=jboss,dc=org
         </module-option>
         <module-option name="rolesCtxDN">                  ou=Roles,dc=jboss,dc=org
         </module-option>
         <module-option name="uidAttributeID">member</module-option>
         <module-option name="matchOnUserDN">true</module-option>
         <module-option name="roleAttributeID">cn</module-option>
         <module-option name="roleAttributeIsDN">false </module-option>
      </login-module>
   </authentication>
</application-policy>

    Note

    Refer to the Security Guide for information about the LdapLoginModule and other available login modules.
A web service client can use the javax.xml.ws.BindingProvider interface to set the username and password combination.

Example 11.1. BindingProvider Configuration

URL wsdlURL = new File("resources/jaxws/samples/context/WEB-INF/wsdl/TestEndpoint.wsdl").toURL();
QName qname = new QName("http://org.jboss.ws/jaxws/context", "TestEndpointService");
Service service = Service.create(wsdlURL, qname);
port = (TestEndpoint)service.getPort(TestEndpoint.class);
 
BindingProvider bp = (BindingProvider)port;
bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "jsmith");
bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "PaSSw0rd");

HTTP Basic Authentication
You can enable HTTP Basic Authentication by using the @WebContext annotation on the bean class, or by appending an <auth-method> element to the JBOSS_HOME/server/PROFILE/deploy/jbossws.sar/jboss-management.war/WEB-INF/jboss-web.xml <login-config> element.

Example 11.2. @WebContext HTTP Basic Authentication

@Stateless
@SecurityDomain("JBossWS")
@RolesAllowed("friend")
@WebContext(contextRoot="/my-cxt", urlPattern="/*", authMethod="BASIC", transportGuarantee="NONE", secureWSDLAccess=false)
public class EndpointEJB implements EndpointInterface
{
  ...
}

Example 11.3. jboss-web.xml HTTP Basic Authentication

<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>Test Realm</realm-name>
</login-config>