11.13. POJO Endpoint Authentication and Authorization

In general the credentials obtained by WS-Security are only used for EJB endpoints or for POJO endpoints when they make a call to another secured resource, it is now possible to enable authentication and authorization checking for POJO endpoints. (This should not be enabled for EJB based endpoints as the EJB container will still take care of the security requirements of the deployed bean).

Important

These instructions assume WS-Security has already been enabled, these instructions describe the additional configuration required to enable authentication and authorization for POJO endpoints.

The .war containing the POJO endpoint needs to have a security domain defined, this is achieved by defining a security-domain in the jboss-web deployment descriptor within the WEB-INF folder.

<jboss-web>
	<security-domain>java:/jaas/JBossWS</security-domain>
</jboss-web>

The remainder of the configuration to enable authentication and authorization is undertaken within the jboss-wsse-server.xml deployment descriptor.

To enable the POJO authentication and authorization a new authorization element needs to be added to the appropriate config element within the descriptor.

<jboss-ws-security>	
	<config>
		<authorize>
			<!-- Must contain either <unchecked/> or one or more <role>RoleName</role> definitions. -->
		</authorize>
	</config>
</jboss-ws-security>

The config element can be defined globally and be port specific or even operation specific.

The authorize element must contain either the unchecked element or one or more RoleName role elements.

<jboss-ws-security>
	<config>
		<authorize>
			<unchecked/>
		</authorize>
	</config>
</jboss-ws-security>

The above example has the unchecked element defined, this means that the authentication step will be performed to validate the users username and credential but no further role checking will take place. If the users username and credential are invalid then the request will be rejected otherwise the request will be allowed to proceed.

<jboss-ws-security>
	<config>
		<authorize>
			<role>friend</role>
			<role>family</role>
		</authorize>
	</config>
</jboss-ws-security>

This second example has two roles defined, as before the user will be authenticated using their username and credential and they will then be checked to ensure that they have been assigned at least one of the roles of friend or family.

Note

Authentication and authorization will still proceed even if no username and password or certificate was provided in the request message. In this scenario authentication may proceed if the login module of the security domain has been configured with an anonymous identity.

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

11.13. POJO Endpoint Authentication and Authorization

Where did the comment section go?