开发者

How to restrict access to everything but wsdl?

开发者 https://www.devze.com 2023-04-02 10:01 出处:网络
I have a webservice deployed under Tomcat 6, it works perfectly. Now I want to authentificate any client, but keep the wsdl in public access via URL like

I have a webservice deployed under Tomcat 6, it works perfectly. Now I want to authentificate any client, but keep the wsdl in public access via URL like http://localhost:8080/services/MyService?wsdl

I have tried to solve the problem this way (web.xml of webapp), but开发者_StackOverflow it doesn't work:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>WSDL access - to anybody</web-resource-name>
        <url-pattern>/services/MyService?wsdl</url-pattern>
    </web-resource-collection>

    <auth-constraint><role-name>*</role-name></auth-constraint>      
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Some authentification required</web-resource-name>
        <url-pattern>/services/MyService</url-pattern>
    </web-resource-collection>

    <auth-constraint><role-name>somebody</role-name></auth-constraint>          
</security-constraint>

The only solution I see for now is to create additional servlet and give one rights to access WSDLs. The servlet will pass required wsdl to client, no matter is it authentificated or not. WSDL URL will be not obvius in this case, so I don't like the solution. Any other advices, please?


I had similar problem and I've found the solution. WebServices methods are invoked via POST, while the WSDL is fetched via GET. So the solutions is to restrict only POST access.

security-constraint>
    <web-resource-collection>
        <web-resource-name>Some authentification required</web-resource-name>
        <url-pattern>/services/MyService</url-pattern>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint><role-name>somebody</role-name></auth-constraint>          
</security-constraint>

I'm using WebSphere 7 with JAXWS, but the web.xml configuration is the same for all containers and appservers.


You are trying to have transport level security.. If you try to secure your individual services with ws-security - you can keep the wsdl open while the service being secured...


I have an app setup this way. I have a login page that will authenticate the user with a userID and password. Only when a valid user logs in, will they have access to data and pages. Any connection to the WSDL will not be affected as it will be handled by the WSDL function calls.

0

精彩评论

暂无评论...
验证码 换一张
取 消