tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Gallimore <>
Subject Re: Securing a webservice
Date Thu, 19 Feb 2009 22:43:42 GMT
Hi Jean-Louis,

Thanks for your reply. In terms of HTTP headers and WS security, I haven't
really formed much of an opinion - to be honest this is my first go at using
JAX-WS as opposed to using something like Axis to generate WSDL and the
client classes, I've not really had a go with securing web services either,
so I'm willing to bow to anyone's knowledge and experience here ;-)

Obviously I think it would be great if the standalone and embedded servers
which use their own HTTP listener could accept credentials via basic
authentication, meanwhile Tomcat could do the authentication for us based on
however its been configured (currently it looks like a new StandardContext
is created for each webservice, and there is code to setup authentication,
but WsService.authMethod was always null when I debugged it, causing no
authentication to be applied, and I couldn't see how it could be set
otherwise), and the user and role principals could be passed through from
Tomcat to the relevant EJB container.

I haven't really come across WS-Security before, but a quick web search has
turned up some interesting looking articles, so I've got some good reading
for this weekend. :-)

To give a bit more background on how this has come about - my colleague at
work has been working on some functionality as an EJB, and felt it would be
nice to have it available as a webservice - and adding the @WebService
annotation to the EJB seemed to be a nice idea, rather then creating a
webservice as a separate class that just delegates through to the EJB as you
describe - and we hoped the container would handle the authentication for
us. When configured correctly, JBoss (4.2.2.GA) does seem to do this for us,
however OpenEJB doesn't at the moment - I don't actually know if this is
even supposed to work (or even whether its part of any of the JEE spec -
I'll have to read up!).

I think I should probably have a look at WS-Security - I'd be very
interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security if you're
putting one together.



On Thu, Feb 19, 2009 at 12:48 PM, Jean-Louis MONTEIRO <> wrote:

> Hi Jonathan,
> It's a nice enhancement.
> I'm just trying to create samples using OpenEJB + JAX-WS (CXF) +
> WS-Security
> (UserToken, Signature, Encryption, ...).
> At first glance, I used WS-Security to secure web services. But you
> approach
> is quite interesting for me because my web service facade delegates to
> business EJBs (probably secured with @RolesAllowed ...).
> So I imaging I will have to authenticate the client.
> A first approach is to retrieve the login/password from the WS-Security
> UserToken and then perform an authentication (I don't know how at the
> moment).
> What is your opinion regarding authentication using common Http headers and
> using WS security ?
> Kind regards,
> Jean-Louis
> --
> View this message in context:
> Sent from the OpenEJB User mailing list archive at

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message