6 Replies Latest reply: Apr 1, 2010 9:55 AM by u8slawo RSS

    How to disable http for JAX-WS

    u8slawo
      Hi everybody,
      I am facing the problem that I want only https (In the form of one-way-ssl) to be enabled for a web service. In other words, I want to disable the http part.
      For JAX-RPC there used to be the WLHttpsTransport annotation or ant element but they are not available for JAX-WS.
      I know I could restrict the http access by providing a policy file but this is not exactly what I want.
      I don't want the service to report back to the client that some security constraint restricts the access to http. I want the server to report that this ressource is simply not available.
      Do you know of a way to do this?
      Cheers
      Slawo.
        • 1. Re: How to disable http for JAX-WS
          Jay SenSharma MiddlewareMagic
          Hi,

          You can add the following entry inside your *"web.xml"* ...

          <security-constraint>
          <web-resource-collection>
          <web-resource-name>app or resource name</web-resource-name>
          <url-pattern>/*</url-pattern> <!-- define all url
          <http-method>GET</http-method>
          <http-method>POST</http-method>
          </web-resource-collection>
          <font color=maroon>
          <user-data-constraint>
          *<transport-guarantee>CONFIDENTIAL</transport-guarantee>*
          </user-data-constraint>
          </font>
          </security-constraint>
          ----------------

          Above will force any Http request to be automatically be converted into HTTPS.


          .
          .
          Thanks
          Jay SenSharma
          http://jaysensharma.wordpress.com (WebLogic Wonders Are here)
          • 2. Re: How to disable http for JAX-WS
            u8slawo
            Thanks Jay SenSharma,
            this is exactly what I have been looking for.

            But one additional question arises:
            What if I don't have a web.xml file because I have the @Session annotation and use the web service as a bean inside an EJB context only?

            Cheers
            Slawo
            • 3. Re: How to disable http for JAX-WS
              sandeep_singh
              In that case use the below annotation:

              import weblogic.jws.security.UserDataConstraint;

              @WebService(name="SecurityHttpsPortType",
              serviceName="SecurityHttpsService",
              targetNamespace="http://example.org")

              @UserDataConstraint(
              transport=UserDataConstraint.Transport.CONFIDENTIAL)

              public class SecurityHttpsImpl {
              }

              Thanks,
              Sandeep
              • 4. Re: How to disable http for JAX-WS
                759546
                Hi Sandeep,
                I think this annotation is only allowed for JAX-RPC (See the title of this discussion topic.):

                [jwsc] (...)/SlawosWSBean.java 24:8
                [jwsc] [ERROR] - The annotation weblogic.jws.security.UserDataConstraint is not allowed on (...).SlawosWSBean because it is a JAX-WS type web service.
                [jwsc] (...)/SlawosWSBean.java 24:8
                [jwsc] [ERROR] - Only HTTP ports are supported for JAX-WS.
                [jwsc] (...)/SlawosWSBean.java 24:8
                [jwsc] [ERROR] - The annotation weblogic.jws.security.UserDataConstraint is not allowed on (...).SlawosWSBean because it is a JAX-WS type web service.

                So it won't work for me.
                Cheers
                Slawo.
                • 5. Re: How to disable http for JAX-WS
                  sandeep_singh
                  In that case you will have to use the policy files to enable the transport layer security for JAX-WS:
                  sample policy for securing JAX-WS over SSL provided by weblogic is : Wssp1.2-2007-Https.xml

                  These polices can be applied to the web methods using @Policies and @policy annotations.

                  thanks,
                  Sandeep
                  • 6. Re: How to disable http for JAX-WS
                    u8slawo
                    ... which I already knew as I have written in my first opening posting.
                    But anyway, thanks for your answer.
                    Slawo.