How to secure web services on GlassFish 2?

Question

How to secure web services on GlassFish 2?

We have some shameless EJBs (EJB3s) deployed on a GlassFish 2 server that expose some of their methods as web services through the @Webmethod annotation.

Now we want to protect these webservice methods so that only authenticated clients can call them. What would be a good way to achieve this?

+1

java security web services glassfish ejb-3.0

Sylar Jan 27 '11 at 16:57

source share

3 answers

bean :

.

@Stateless
@RolesAllowed({"user", "employee", "admin"})
public class ItemEJB {
    ...
}

. :

http://java.sun.com/developer/technicalArticles/J2EE/security_annotation/

+3

Jordan Allan 27 . '11 20:11

- , .

, ssl. :
1)
2) ( ), , - (- ) - .
.
3) , , . , , .
4) .
Thus, an unauthenticated client will not have a token to send.

+1

Cratylus Jan 27 '11 at 21:11

source share

chrome · Accepted Answer · 2011-01-28T16:03:16+0000

As the good reverend said. The example below uses the file scope for authentication.

@Stateless
@WebService(name = "MyAppServices")
@RolesAllowed({"user"})
public class ItemEJB {
    ...
}

You will also need sun-ejb-jar.xml , for example.

<sun-ejb-jar>
<security-role-mapping>
            <!-- as defined in @RolesAllowed -->
    <role-name>user</role-name>
            <!-- glassfish group created in file realm -->
    <group-name>user</group-name>
</security-role-mapping>
<enterprise-beans>
    <ejb>
        <ejb-name>ItemEJB</ejb-name>
        <webservice-endpoint>
            <!-- equivalent to name attribute of @WebService -->
            <port-component-name>MyAppServices</port-component-name>
            <login-config>
                <auth-method>BASIC</auth-method>
                <realm>file</realm>
            </login-config>
        </webservice-endpoint>
    </ejb>
</enterprise-beans>

( ).

How to secure web services on GlassFish 2?

More articles: